Kerio Rules

Discussion in 'other firewalls' started by jaxson, Feb 21, 2003.

Thread Status:
Not open for further replies.
  1. jaxson

    jaxson Registered Member

    Joined:
    Feb 21, 2003
    Posts:
    33
    Hi

    Had it installed a few days, seems fine, but just wanted to see if I should tweak any of these rules. Still a few applications that I let online that I haven't ran yet, but I don't think they will be the problem, it's just all this stuff at the top I don't really understand.
     

    Attached Files:

  2. jvmorris

    jvmorris Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    618
  3. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    Hi,

    I should not use a general loopback rule but only for the needed applications, like IE and OE for instance.
    DNS rules only for your ISP DNS servers.

    You might have a look here :
    http://tinylink.com/?jX9T2MsOVq

    (French but the rules are edited in Eng)

    Rgds,
     
  4. jaxson

    jaxson Registered Member

    Joined:
    Feb 21, 2003
    Posts:
    33
    Cheers.

    I changed the loopback so only IE uses it.

    Sounds lazy but do I really need to go through all that lot?
    It'll take ages :(

    I don't like ZA, too bulky, so maybe Outpost or Sygate are better for me
    if you need to really setup all this stuff?
     
  5. jvmorris

    jvmorris Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    618
    The basic problem is pretty much the same with all of the rules-based firewalls. And, in saying that, I specifically include Tiny/Kerio/Sygate/Outpost/LnS/NIS/NPF. (And the rules are pretty much translatable from any of the above to any other. Indeed, the people that write recommended rulesets for one often collaborate with people writing rulesets for another.)

    However, there's no need to freak out about all this. Most of them start off with a set of default rules that are at least as rigorous as what you would find with the free version of Zone Alarm. Take your time, do it at your leisure (and you'll learn a lot more about firewalls in the process).

    What we're talking about here is tightening the rules up as much as possible to reflect your specific needs and requirements, based on your particular system configuration -- that's all.

    There's admittedly a bit of esoterica in all this, but if you just take it one step at a time, you'll do just fine.
     
  6. SpaceCowboy

    SpaceCowboy Registered Member

    Joined:
    Oct 20, 2002
    Posts:
    40
    if you arent willing to spend time and tweak your rules for Kerio then i would suggest a different firewall.

    Sygate personal firewall is very easy to use. it is an application based firewall with the capabilities to make advanced rules if you want to.
    http://soho.sygate.com/products/shield_ov.htm

    this site will help you learn about it. very good info
    http://home.bellsouth.net/p/s/community.dll?ep=16&groupid=60610&ck=&userid=1&userpw=.&uh=1,0,

    plus they have a support forum if you need it.
    http://forums.sygatetech.com/
     
  7. jaxson

    jaxson Registered Member

    Joined:
    Feb 21, 2003
    Posts:
    33
    Hi

    Well if Kerio default rules are more rigorous than ZA anyway, i'll do it at my own pace like you say :)

    And i'm a single user home pc, using Windows 2000 and connecting to the net using NTL Cable STB connected by NIC if that makes any difference.
     
  8. jvmorris

    jvmorris Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    618
    JacK,

    Does the following link lead to the same discussion in English?
    http://www.blarp.com/faq/faqmanager.cgi?toc=kerio (plus maybe some other information?
     
  9. the Tester

    the Tester Registered Member

    Joined:
    Jul 28, 2002
    Posts:
    2,854
    Location:
    The Gateway to the Blue Hills,WI.
    Jaxson.

    The rules in Kerio aren't that hard to configure.
    I did it.I thought it would be much more difficult.

    A Google search helped me a lot.I saw a lot of options.Some I used,some I didn't.
    I added 6 rules and while that doesn't seem like much,I'm comfortable with that for now.

    I'm sure that I will have to tweak my rules.
    But most of "my" rules are set.The default rules took care of most of my concerns.
     
  10. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    Hello Joseph,

    Not really, I know the KPF FAQ , NL and Blarp (nice guy BTW) where you will find the basic rules, on the french given link you will find tighter rules for people seaking more control on KFP.

    Nice WE,
     
  11. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi jaxson

    You have already been provided with some good links. Here are a few more to look at for some ideas:

    Customizing Rules
    System Wide
    Global Permit/Block
    Application
    Final Block

    Although the terminology varies from product to product, the concept or intent of the rules remain the same. (ie. Remote Address Kerio refers to as Remote Endpoint)

    As a starting point for your application rules, you may want to look at restricting them to the remote services/ports you will need. Right now your application rules permit outbound to any remote service/port.

    Example:
    Internet Explorer: remote service/port - 80, 443, 8080
    Microsoft Outlook: remote service/port - 25, 110

    Default rules with the Kerio install that you can probably remove:
    Local Security Authority System
    Microsoft DS
    Services and Controller App
    Generic Host Process

    The Reply from DHCP should already be covered by the default DHCP near the top of your rule set.

    The loopback rule concern can be dealt with a number of different ways. If you choose to go on a per application basis that is fine. I have attached an image of a rule set as an example only and to provide you with some ideas and it uses per application loopback rules. Note if you use a final block for outbound, make sure you enable logging as this will usually disable the rule assistant/wizard in most products and you will not be prompted for new applications wanting to access the network. They will just be blocked and logged. As has already been suggested, there is no one rule set for everyone. You will have to determine what best suits your needs.

    For some of your specific applications, you may need to enable logging for short periods while using the application to determine just what local and remote services/ports and addresses are used to help determine how you customize the rules for those applications.

    edit to update image and text accordingly - CrazyM

    Regards,

    CrazyM
     

    Attached Files:

  12. jaxson

    jaxson Registered Member

    Joined:
    Feb 21, 2003
    Posts:
    33
    Hi

    Thanks for all the helpful replies. Here are my latest rules after editing
    from your advice.

    Are my basic system rules ok?

    Ive edited some applications a little, but I don't know what port they use and stuff, anyone able to help with MSN and Kazaa as they are quite common.
     

    Attached Files:

  13. the Tester

    the Tester Registered Member

    Joined:
    Jul 28, 2002
    Posts:
    2,854
    Location:
    The Gateway to the Blue Hills,WI.
    Hey Jaxson,

    You got the basic rules set up good IMO.

    I don't know the ports regarding Kazaa and MSN.
    CrazyM mentioned enabling logging and watching the programs for info on the ports and addresses that are used.
    I hadn't thought of that.
     
  14. sponge

    sponge Registered Member

    Joined:
    Jan 16, 2003
    Posts:
    6
    Jaxson -

    For the very first rule, I'd block Kerio itself from TCP & UDP. This might sound weird but it provides a little protection should the firewall itself be compromised.

    Then put a rule right beneath the DNS rule blocking all traffic to and from Port 53 (remote). Since you have DNS already as restricted as it can be there is no point in allowing Port 53 traffic to continue further down the list. Ditto for DHCP.

    I would also enable that last rule blocking everything.

    You should consider adding some spyware IP filters if you plan on using IE and IRC, since a lot of the spyware out there likes to hijack IE, and if you use auto DCC on IRC you can get something loaded on your system quite easily.

    All in all it looks like a good setup.

    Sponge
    Sponge's Anti-Spyware Source
    www.geocities.com/yosponge
     
  15. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    Isn't the first rule actually too narrow to block all NetBIOS? Set up the way it is, see image, isn't it only saying to block any connections to/from local ports 137-139 from/to remote ports 137-139? Wouldn't an incoming bugbear/opaserv connection to local UDP port 137 get by this rule since these generally come from a remote port of 1024 and above?
     

    Attached Files:

  16. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Nice catch LWM :)

    A more effective way would be to have two rules:

    Block inbound netbios
    protocol: tcp/udp
    direction: inbound
    local service/ports: 135-139
    remote service/ports: any
    any address

    Block outbound netbios
    protocol: tcp/udp
    direction: outbound
    local service/ports: any
    remote service/ports: 135-139
    any address

    If he activates his final block rule, that would also cover the above.

    Regards,

    CrazyM
     
  17. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    Hello,

    I should add a second DNS rule :

    Description: Other DNS
    Protocol: TCP and UDP
    Direction: Both
    Local Port: Any
    Local App.: Any
    Remote Address Type: Any
    Port type: Single
    Port number: 53
    Action Deny

    Special applications ports to open for MSN and others :

    http://www.practicallynetworked.com/sharing/app_port_list.htm

    for Kazaa :

    Description: Kazaa out
    Protocol: TCP
    Direction: Outbound
    Remote Address Type: Any
    Local Port: Any
    Remote Port: 1214
    Action: Allow

    Description: Kazaa in
    Protocol: TCP
    Direction: Inbound
    Remote Address Type: Any
    Local Port: 1214
    Remote Port: Any
    Action: Allow

    Description: Kazaa HTTP
    Protocol: TCP
    Direction: Outbound
    Remote Address Type: Any
    RemotePort: 80-83, 443, 1080, 3128, 8080, 8088, 11523
    Action: Allow

    Rgds,
     
  18. controler

    controler Guest

    Since I am now using Sygate free version and we are posting screen shots, I thought I would add a few and any of those people using Sygate Pro's advanced features can then chime in at any point.
     

    Attached Files:

  19. controler

    controler Guest

    Notice in the screenshot above the grayed out check boxes.
    Those sure look like important and cool options to me.
     
  20. controler

    controler Guest

    The next two screen shots are the application advanced rule sets
    configuration area.
     
  21. controler

    controler Guest

    .
     

    Attached Files:

  22. controler

    controler Guest

    .
     

    Attached Files:

  23. jaxson

    jaxson Registered Member

    Joined:
    Feb 21, 2003
    Posts:
    33
    sponge:

    I'll add that rule, so I need to block persfw.exe and pfwadmin.exe?

    Added the DNS and DHCP ones to, a few other people also said.

    LowWaterMark:

    I got that rule from:

    http://www.blarp.com/faq/faqmanager.cgi?file=kerio_genrules&toc=kerio

    So I just added it, thought it would be right if it was in there FAQ :(

    CrazyM:

    Will add those. :)

    JacK:

    I tried those Kazaa rules but it just won't connect me to Kazaa with them.
    It starts asking me to let it connect to loads of different UDP ports and when I deny it doesn't connect me. o_O
     
  24. jaxson

    jaxson Registered Member

    Joined:
    Feb 21, 2003
    Posts:
    33
    Also

    I'll enable the block everything else rule when I have conigures all my apps.

    Another thing though the opened connection window I don't get. Here is a screenshot, what are all them things listening? Should they be listed there?

    Black parts ive marked are just covering my IP.
     

    Attached Files:

  25. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    Yes, those are normal. The three lines you blacked out your IP on are just NetBIOS, of course. You said in a previous post:

    >> ...And i'm a single user home pc, using Windows 2000 and connecting to the net using...

    If you are just a single, non-locally networked PC, you should just disable NetBIOS (see this: link). Ports 135 and 445 are epmap and microsoft-ds. See this thread for more information.
     
Thread Status:
Not open for further replies.