dslreports logo

    All FAQs Site FAQ DSL FAQ Cable Tech About DSL Distance DSL Hurdles »»


how-to block ads

•Before you start -- You'll have an easier time if you can get the following information and write it down for reference: -DNS server address(es); -DHCP server address(es); and the subnet mask and range of any LAN you may have, along with the statically assigned address ranges of your active machines if you use static IP addresses locally.

•What the firewalls do and how -- They are simple packet and port filtering firewalls, employing stateful inspection techniques. Kerio is the successor to Tiny. Therefore, both share similar features. They accomplish their task by operating at a fairly low level (the TDI and NDIS translation layers, for those interested). As such, it filters ports and IPs and supports very basic application layer authentication by verifying that apps are what they say they are via an MD5 hash. As a fully rules-based firewall, there are no automation functions and minimal suggested or precoded rules; the ultimate measure of Tiny's effectiveness depends on sound, ordered rules.

•Windows networking -- The all important task of shielding NetBios ports from abuse is simplified with a special tab behind the firewall rules. Use it. It's a very effective built-in convenience feature. If you leave these ports open to the Internet, you are exposing your entire system, and may as well have no firewall at all from an intruder's point of view.

•Creating a basic ruleset - The emphasis is on "basic." Prompts will help you set up your Internet apps. It's a deny-by-default firewall. The first rules you need will be a deceptively simple trilogy, just a very basic set of rules to allow DNS, DHCP and ICMP. The apps will follow, in due time. If you use static IP adressing (behind a router, for example), the DHCP rule is unnecessary. You may also want to provide for open access for your LAN machines, if you have a network and consider it fully trusted, near the top.

•Rule priority and ordering - Very simple and critically important, it will be stressed throughout the FAQ. Top down, process until a match is found. When a match is found, apply the matching rule and STOP. Nothing below the match will be looked at at all. Using creativity, this opens up the potential for some very nice if-then conditionals. On the other side, there is no analog to "pass," where a rule is applied and processing continues. This would be a great feature for a future release. For now, though, your only options are allow and deny.

•Logs and alerts - Each rule must be individually set up for logging and alerts. In suggested rules in this FAQ, you will note that a suggestion is offered, log, nolog, alert, noalert, for convenience. Naturally, you can log and alert on anything you like, but following the suggestions should ensure that your logs will be useful without being unnecessarily large and unreadable. In addition, you can choose to log packets to unopened ports and, in most recent versions, to log suspicious activity. These can be useful, but may fill a log rapidly with false positives, noise traffic and so forth. Use your discretion.

•Advanced rulemaking - We'll cover advanced rules in the FAQ as needed. Suggestions and requests are always welcome.


Expand got feedback?

by gwion See Profile edited by JMGullett See Profile
last modified: 2007-07-25 16:14:46