The Site > Old Forums > Kerio - Tiny Support > Tiny to Kerio Rules

Tiny to Kerio Rules

I've organized my rules as an example:
»blitzweb.home.att.net/xprules.gif

You already have some misconceptions.... This is not AtGuard/Norton...

You don't need blocking rules unless the program is starting them, or they are listening for them.

It looks like your dhcp rules are fubar, but you might have used white to cover up the information...
»Security »How do I allow DHCP?

Here's an example of icmp rules to help you organize them:
»Example ICMP rules

Now your allowing almost all your programs to use any port, and not controlling what they are doing. That is a security hole, and what if some spyware/trojan would use IE to communicate out? You wouldn't know. You need to pick the ports allowed for each app if you want to make these more secure, and not run it like a simple application based firewall.
--
"Yesterday we obeyed kings, and bent our necks before emperors. But today we kneel only to the truth." -Kahlil Gibran

BlitzenZeus
I noticed on your rule set you had you ICMP rule protocol 3 in a separate rule did you set it only to your DNS server that would block that hole that's there using it the other way THANKS
--
Never let a computer know you're in a hurry.
[text was edited by author 2002-03-09 16:40:06]

reply to BlitzenZeus

said by BlitzenZeus:

---

You need to pick the ports allowed for each app if you want to make these more secure, and not run it like a simple application based firewall.

---

reply to zone
Zone: Please try using punctuation in your sentences, and not running them on next time since it does make them hard to understand

Your not a router, and you don't need to be advertising that you exist to other ip addresses out there by sending icmp type 3 out. However sending them to your dns server is optional, and some connections have problems if you don't permit it out to them.

I also toggle allowing icmp 3 in due to the fact that I don't run any online games with XP, and I only enable it temporarily when I see that my icmp communications fail. I do have it enabled all the time on my Win98se config as I run my online games there, and they run better than on XP. It also allows me to separate my work, and play to make things easier.

If you have any more question about this read the icmp link I provided in the first reply.

reply to bjf123
Is your computer running as a DHCP server? If not you shouldn't allow local: udp 67 connections as then you are acting as the server.

I allow 8085, and 8086 for DSLR's tweak test. If I don't the results are not accurate. I could secure those two ports to the testing address, but they are also used for another DSLR test. I'm only worried about the higher port ranges, and in this config you will have to permit each ftp request by your browser. I prefer it this way instead of allow them access to higher ports for no reason.

I see your still working on some rules like your icmp, etc..

Your next step for some apps is making rules for certain addresses only.... Do those when the programs only communicate out to only one, or two addresses if you need to. However some programs are fine being allow to any address since they are hard-coded to certain addresses anyway. Its obvious that browsers need access to any address, but here is where its up to you to make those judgements.
--
"Yesterday we obeyed kings, and bent our necks before emperors. But today we kneel only to the truth." -Kahlil Gibran

said by BlitzenZeus:

---

Is your computer running as a DHCP server? If not you shouldn't allow local: udp 67 connections as then you are acting as the server.

---

quote:

---

Your next step for some apps is making rules for certain addresses only.... Do those when the programs only communicate out to only one, or two addresses if you need to. However some programs are fine being allow to any address since they are hard-coded to certain addresses anyway. Its obvious that browsers need access to any address, but here is where its up to you to make those judgements.

---

reply to bjf123
I'm not up to date on all your issues, but I'll address the last part. Very loosely speaking, subnet mask is a full octet range or more of addresses. A range is more granular, and can be anything from two concurrent addresses up to a whole group of netmasks... make sense? The only downside is that Tiny/Kerio have only one "custom range," meaning the only way of getting a group of NON-contiguous addresses in is multiple rules. Not to worry, though, most ISP servers ARE a range or mask in their netblock. I experimented with Verizon, and they have the whole 151.201.0. (somethng like ?) 30-70 range full of DNS servers. Problem is they also have mailservers and a pile of other internal stuff mixed into the 255.255.255.0 mask, just as an example... so I personally have 3 DNS rules, one for my primary, one for my secondary, and a third that I allow TCP on (so "dig" and a few other information apps will work) that isn't one of my assigned nameservers, but is a domain authoritative nameserve, while most of the nameservers on the 'net are mirrors, meaning, in the simplest laymen's terms, they ain't guaranteed... their table will be whatever the last copy they mirrored from a domain authoritative server was, and, depending on scheduling, they may have a small percentage of stale or incomplete data at any given time.

There. Anyhow, I just shot off topic, there, so, back to the issue at hand, do whatever works best for you... but be careful you don't get a bunch of user addresses or exploitable addresses in there by accident (I consider mailservers, for example, exploitable, and I definitely consider "honeypot" servers exploitable ['cause that, in a nutshell, is their "job description" ), and it's not at all uncommon for an ISP to mix "honeypots" into their DNS block... I'm quite convinced, looking over some of the hostnames machines in VZ's block, that there are a few honeypots in there, for example... just a fleeting thought...
--
did we save the post about restoring filesystems with vi and a toothpick? Good. Did anyone print it out???

[text was edited by author 2002-03-09 23:27:12]

Bump. Anybody?

reply to bjf123
Just took a quick glance, but that second DHCP rule still doesn't look right. I think it should be:

UDP Both Directions
Local Port: 68
Remote Port: 67
Remote Address: Your DHCP Server

Most people also usually allow this for any application (same goes for the other DHCP rule). I'm not sure whether or not limiting it to Krnl386.exe is beneficial or not.
--
Pinky: I think so Brain but if you replace the P with an O, my name would be Oinky wouldn't it?

said by Zupe:

---

Just took a quick glance, but that second DHCP rule still doesn't look right.

---