dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
70329

gt7697c
Premium Member
join:2001-02-16
The Hive


2 recommendations

gt7697c

Premium Member

[Kerio] Generic Rule Set for Kerio (Proxy and no Proxy)

Click for full size
Click for full size
Click for full size
Click for full size
It has been a while since anyone last tried to post a Generic Rule set for Kerio or a supplement to the FAQ.

So I thought I would try my hand at creating a generic rule set for new users to get an idea and an understanding of what a decent full (or some what full) rule set looks like. (Not that anyones rule set is bad. It is just that most of us, me included, have more mature rule sets and it is hard for the new users to grasp what we are doing or what we are trying to do. Conversely it is hard for us to grasp what a new user is doing because the format of the Rule set may be causing the problem, thereby requiring some fancy foot work on our part to try and fix it.)

(If you use a Router the IP of the router is generally 192.168.0.1 or 192.168.1.1 or 10.x.x.x make changes if you need to to applicable rules. If you don't use a Router you may have to use your ISP's DHCP Server unless you have a Static IP.)

DHCP is required if you use it. It is a good idea to tie the IP of your DHCP Server to your DHCP Rule. Doing so will enforce that your system gets its IP from only the Authorized DHCP server in the rule. My rule is tied to my DHCP server.

DNS you need to surf the net. In my case DNS is supplied by my DHCP server, in many cases this will not be true. However, on my XP system even using my router I still have to enter the DNS servers of my ISP. So before you create the rule get the DNS servers that your ISP uses written down, then create the rule that you may need.

ICMP generally means pingable. You need the ICMP rules setup to be pingable or to not be pingable. If you follow the FAQ then you will not be pingable, but you will be able to use the tools like ping and tracert. To be pingable simply create the rule that I call my ICMP LAN rule and then tie it to what ever IPs you need to be pingable to, like maybe your other LAN machines or maybe to your ISP so that tech support can help you trouble shoot your DSL/Cable modem.

Now for the Kill all ICMP rule, you need to make sure you set Kerio up so that it Kills all ICMP codes otherwise the Kill All ICMP rule will only kill only the known codes not the malformed ones. (Just look at the screen shot.) If you won't to block by protocol then you may want to use the ICMP -1 method mentioned the FAQ.

To set up ICMP select from Protocol ICMP and then select Set ICMP and finally select the ICMP that you want....you want what I have in the screen shots.

Loopback is a rule that allows your local machine (localhost or 127.0.01) to talk to itself. What I have are special loopback rules. This is because I use a proxy. If you don't use a proxy then you can use just one loopback rule. To setup just one loopback rule follow the FAQ or look at the No Proxy Screen shot.

IGMP (Internet Group Management Protocol) unless your network needs it block it. Hackers can exploit it and hang your ultra fast system. IGMP is blocked by selecting for Protocol Other and then typing in 2.

NetBIOS if your network does not need NetBIOS then you want to block it as well as turn it off. Typically NetBIOS is ports 137, 138, 139.

Epmap is another special case rule, and can cause problems if you don't need it block it. Typically it uses port 135.

Microsoft-DS or SMB again if you don't need it block it. XP has this as well and it is simply another incarnation of NetBIOS 137,138,139. Even if you disable NetBIOS this may persist so just block it. Typically it uses 445.

SSDP(Simple Service Discovery Protocol) Good idea to disable this in XP or other Windows O/S or block in Kerio. Typically it uses 1900.

Generic Host Process for Windows this is svhost and rather than input all the ports the ports it uses I simply put any port for a blanket protection from inbound requests that are not wanted. You can change it block to remote port 5000, or you could combine Epmap and SSDP into this rule if you wanted.

Windows Time Sync this is built in to XP or can be a third party program download for 2k and previous O/Ss. It is a good idea to chain it to a port and an IP. Kerio will prompt for the rule if you delete it and then run the Time Sync program. Kerio may want to create two rules..if it does simply combine them after you have permitted them in Kerio.

Media Player rules are some what picky. The rules that I have are generic enough I believe to allow Media player to work fully. Of course I am using a Proxy, so if you aren't using a proxy then take a look at these Media Player Rules.

The rules for IE that I have here are for IE to use a Proxy. If you don't use a proxy then you might still want some of the rules so as not to let IE have too much control, and with the main IE rule you would want to limit IE to certain ports like 8080, 80, etc....

IE allow to proxy is needed if you run a proxy. Without that rule IE will not be able to connect to the NET unless you give it permission.

IE Secure Sites this rule allows IE to visit Secure sites and IE uses port 443 to accomplish the visit. You need this rule to do on-line shopping etc....If you don't have a proxy you may want this rule as well so not give IE to much control of the ports it uses. (You could also put a timer on the rule to prevent a significant other from doing on-line shopping, use at your own discretion with that advice.;))

IE FTP this allows IE to download files from FTP that you may visit. To say get Defs for a Virus Scanner or other things......

IE FTP Data Transfer this rule can be complicated. Please see this thread: »[Kerio] IE FTP Data Transfer Rule Help---> Please
for a discussion on it. Suffice it to say if you set the rule up you will need to chain it to the FTP sites you visit. You will need this rule or something similar to it if you disable Enable Folder View (internet options + advanced) in IE and if you are controlling the ports that IE uses. So it will apply to those running a proxy or those who don't use a proxy.

IE Restrict this rule is good for everyone even those that don't use a Proxy. The reason is it enforces all the other IE rules so that IE doesn't bypass those rules.

Block Proxy....this is the other Loopback rule. The reason it is blocked is because Applications like to bypass your firewall if you have a proxy on the system. This rule prevents that from happening. If you don't use a proxy you don't need it.

The Proxomitron is set up as the only way to allow your Browser to surf the net. Instead of giving it unfettered access on any of the ports I chose to chain it to only the ones listed. This will be the same if you use another program that is a proxy.

The Block Proxomitron Rule prevents Inbound connections to be made to the proxy. At one time the rule, since it blocks both directions, may have been used to prevent apps from pretending to be the proxy and connecting out. This can apply to any proxy program.

Windows Explorer does not need to be allowed to the Internet to do its job. There are many exploits that can take advantage of Windows Explorer.

Windows Messenger is a pain in the a$$ even if it is disabled. Short of ripping it from the O/S a nice block will prevent connections to be made either in or out if you don't need it.

It is recommended that you delete the default rules that come with Kerio as they are too weak. The rule set above is a Generic Rule set and is pretty good to get you started or up and running, by no means does it cover everything. Consider it a starting point if you are new to a rules based firewall. (If using 2k some things like Windows will need to be changed to Winnt.) Backup your rule set to a floppy or another location on the HD other than the Kerio Folder. (The reason is if something bad happens you will at least have a quick fix handy.) Block rules should be set to Log and Alert once they are tripped. You should also put an Admin Password on Kerio.

One last point often over looked and seldom talked about, though Gwion and others have tried, is grouping and order. If you notice in both Rule sets the rules follow a progression. There are exceptions to every grouping and I am sure some will spot those exceptions. The reason for grouping the rules has to do with how a rules based firewall reads those rules. I believe Kerio reads from the Top down; if you create a Block rule and then an Allow rule for the same application below the block rule...you may have just blocked that app from connecting to the Internet. Again there are exceptions to grouping...you might be filtering something out etc......

(The last screen shot is a rule set without a proxy or using DHCP. I have left my Router's IP in the DNS because it represents what would be entered if you have your ISP's DNS server. I have decided for these rule sets to leave out filtering of Local Ports as that can lead to problems if you are new to a rule based firewall. Certainly that should be the next step once the rules are up as a way to tighten the firewall up even more, but should be done with great caution. Rules were created on a Win XP pro machine.)

HTH.:)

Any and all comments welcome.:)


Source material for further reading:

1.»Just one example of rules
2.»Security
3.»www.blarp.com/faq/faqman ··· oc=kerio
4.»www.networksorcery.com/e ··· igmp.htm
5.»www.blackviper.com
6.»www.dshield.org/
7.»grc.com
8.»www.iss.net
9.»www.practicallynetworked ··· essaging


Edit
fixed a link.

Edit 2

For a new user trying to create rules start with the Higher Rules meaning DNS, DHCP, and ICMP. Then work your way down. Click on the links for more info.

Also added some lines to ICMP and IGMP.

Edit 3
The DHCP rule is not limited to a Router you have on a LAN. Some users may have a direct connect to the internet and may not have a Router. In this case the DHCP rule or rules would be tied to the DHCP Server your ISP uses if you don't have a static IP.
TheWiseGuy
Dog And Butterfly
MVM
join:2002-07-04
East Stroudsburg, PA

TheWiseGuy

MVM

Re: [Kerio] Generic Rule Set for Kerio (Proxy and

Excellent post.

This seems like a good place to have a discussion on any of the rules posted. My comments below are not directed specifically to you but for general discussion.
said by gt7697c:
IE Restrict this rule is good for everyone even those that don't use a Proxy. The reason is it enforces all the other IE rules so that IE doesn't bypass those rules.
I've been thinking about the IE FTP problem and one solution is to not include a blanket IE restrict rule in the ruleset. The advantage would be that this allows Kerio to prompt you for access and you can use Passive FTP, simply by clicking Allow, without a rule granting regular access to a lot of ports. It would also allow Kerio to prompt you if an unusual Port was requested somewhere else. Some people might see these prompts as a hassle, others might like to know that a site is trying to use a non standard port.

If you are not using a Proxy the main downside is getting prompts, which doesn't bother me, so I don't have a blanket block for Mozilla, my main browser, or IE which I also use.

But what if you have a proxy? So for people who need to set up rules for a proxy the questions I can think of are:

What are the Ports that must be blocked for your browser and why?

Is a block rule covering a small number of Ports maybe 1-1024 and 8080 enough or a rule for only Ports 80,443, and 8080, which are the allowed Ports for Proxomitron, all that is needed?

Is there a major advantage to having a restrictive block for IE since the Firewall should prompt for anything not allowed?

gt7697c
Premium Member
join:2001-02-16
The Hive

gt7697c

Premium Member

quote:
I've been thinking about the IE FTP problem and one solution is to not include a blanket IE restrict rule in the ruleset. The advantage would be that this allows Kerio to prompt you for access and you can use Passive FTP, simply by clicking Allow, without a rule granting regular access to a lot of ports. It would also allow Kerio to prompt you if an unusual Port was requested somewhere else.
Nope won't work, though it sounded fine on paper.:) What happens is that Kerio or better IE will run up the line of all the ports it uses to do the FTP Data Transfer. Therefore you will create individual rules for each of the high ports included in the port range that I mentioned in the other thread. It is better to just restrict the rule to the FTP servers that you use.

Setting the IE Restrict Rule to Alert and Log will notify a user of an application trying to use IE, or IE trying to sneak out other ports. If you are trying to access something with IE and get that Alert then you need to configure a rule for it.
_________

Do keep the comments coming, and yes we can talk about any and all the rules mentioned in this thread.:) (If one rule gets to be too complex or in-depth we will simply start a new thread if one does not already exist.:))

Also feel free to copy the rules right out of the Screen shots and into Kerio....they have been tested and seem to work well. (Though I didn't personally test them all.)

Edit 1

I was thinking maybe a generic FTP Data Transfer rule set to Alert below the other FTP Data Transfer rules. This would allow you to visit the FTP site while also getting the FTP server IP to add to a rule later. I believe we will need to talk about this in the FTP Data Transfer Thread as it may monopolize this thread.;)
gt7697c

gt7697c

Premium Member

Re: [Kerio] Generic Rule Set for Kerio (Proxy and no Proxy)

Well looks like I get to ask questions about the rule sets by myself.....:) I hope I don't have to answer myself as well....but I am in that kind of mood today and I have my answer hat close by just in case it is needed.:)

____________

Ok...is the Block Proxy rule really needed at all???????
Won't Kerio just prompt for connection if something tries to use the loopback 127.0.0.1:8080 since there is no specific rule for it.???????

Why are the loopback rules below some of the block rules....well doing that enforce that the block rules are applied?????
TheWiseGuy
Dog And Butterfly
MVM
join:2002-07-04
East Stroudsburg, PA

TheWiseGuy

MVM

Re: [Kerio] Generic Rule Set for Kerio (Proxy and

said by gt7697c:
Ok...is the Block Proxy rule really needed at all???????
Won't Kerio just prompt for connection if something tries to use the loopback 127.0.0.1:8080 since there is no specific rule for it.???????
Unless there are Allow rules below a Block rule that you want to prevent from connecting in a specific manner, then block rules normally are simply to Block Prompts or control what is logged or what Alerts. Since none of your rules below the "Block Proxy" would be able to use the proxy it should only stop prompts.
quote:
Why are the loopback rules below some of the block rules....well doing that enforce that the block rules are applied?????
The Loopback rules could be at the top of the ruleset. While they do in some cases Block some ports to/from 127.0.0.1 it really is not necessary to block them to/from Loopback.

gwion
wild colonial boy

join:2000-12-28
Pittsburgh, PA

gwion to gt7697c

to gt7697c

Re: [Kerio] Generic Rule Set for Kerio (Proxy and no Proxy)

Loopback goes below proxy access because we don't want any app to use the proxy, because it's a natural firewall tunnel... we just want apps we want using the proxy using it, not any app that coincidentally gets installed on the computer and grabs proxy info from IE... since rule processing is top down, in order, process until matched, then quit, we don't want a general rule above a specific one...

The block, then, prevents a later "any port" loopback from catching spillover... it also specifically alerts us that something wants out, so we can make a rule if we want to, to allow it. Here's a new way of approaching the loopback, too... you could do this above the proxy rules, if desired. 2 rules, in 2.14... first one, allow both remote IP 127.0.0.1, ports 0-8079, etc.; second rule, allow both ways remote 127.0.0.1, ports 8081-65535, etc.(*) --- making sense? I came up with this playing with the beta, which allows multiple port ranges in a single rule, and it dawned on me you could use two loopback rules in 2.14 for the same effect...

The whole idea of all these rules is keeping the proxy from ending up as a convenient tunnel through the firewall. The other idea was to prevent IE or other apps from finding alternate routes out, without proxy filtering. I caught IE trying a few 'round the proxy outbounds, some time ago, and rationalized that it won't hurt to make sure IE (or whatever you want filtered) has only one route to the internet, that being the proxy server...

(*) Assumes proxy listening on 8080; make any necessary changes for your setup...

cjsmith
Premium Member
join:2000-11-03
Villa Rica, GA

cjsmith

Premium Member



gwion thanks again for a most comprehensive description of the use of loopback rules combined with Proxy denys.

Just a quick question if you don't mind.
Is the above pic that of which you describe?

gwion
wild colonial boy

join:2000-12-28
Pittsburgh, PA

gwion to gt7697c

to gt7697c
CJ, you're amazingly adaptable ... it's fine. What I meant, though, was that you could do a loopback in the "typical" position of top few rules, make it that way, and then do your proxy rules ... long as the "allow any" loopback's below the proxy rules, it works fine. But you could break it into two if it's above the proxy stuff, and still get the necessary elimination of tunnel concerns.

The main significant issue is letting a new app get access to the "tunnel" at 8080... so long as you block that, however you accomplish it, "u dun good"

cjsmith
Premium Member
join:2000-11-03
Villa Rica, GA

cjsmith

Premium Member

said by gwion:
CJ, you're amazingly adaptable ...

Thank you gwion. Every so often I come by and see what is happening here, and being how I already read this thread and soon discovered a few new entries it peeked my interest. Thus, I decided to check out my rules for I am in the midst of a new installation process.

Bowserman
join:2003-04-15
Australia

Bowserman to gt7697c

Member

to gt7697c
Click for full size
Click for full size
Ok guys, are my loopback rules right then?

gt7697c
Premium Member
join:2001-02-16
The Hive

gt7697c

Premium Member

I would say they are.:)

Bowserman
join:2003-04-15
Australia

Bowserman to gt7697c

Member

to gt7697c
G'day GT. I think they are too(just thought I'd ask again).
Everytime I try to put the loopback rules below the Block Proxy rule, programs like SpywareGuard, LiveUpdate and Gladiator will not work (before anyone asks me to create a generic loopback rule under the Block Proxy rule, I tell you now that this does not work for me).

I think having the loopback rules like we do, with the Block Proxy and Block Proxomitron rules both set to log and alert,work just fine and let us see what proggies are trying to access;).

BTW GT, as you can see I have tightened up my rules for POP3 and Outlook Express by adding the addresses for each singly instead of using the "network/range" option.
Ya reckon I should create a custom group for Trends PCCillin(PCCClient)as it draws on many addresses?

As always, many thanks, Jade.

gt7697c
Premium Member
join:2001-02-16
The Hive

gt7697c

Premium Member

Yes you could use the Custom Group. If the IPs are in a Range though...I would lean towards using a Network Range.
And saving the Custom Group for other IPs that are scattered all over the place.

HTH.:)
gt7697c

gt7697c to gwion

Premium Member

to gwion
I apologize for taking some time off from this thread.

What you are describing for Two loopback rules is what I currently have in Kerio 2.1.4 for loopback. By not creating a any app rule using 127.0.0.1:8080 Kerio will pop up for any application trying to connect out using 127.0.0.1:8080 and any rule created will be Tied to the application trying to use it.

So....is the block Proxy Rule still fully needed??? I would guess that if you have all your rules for apps already configured then you could/would use it to enforce the rules. But for a Beginner having that rule might be annoying as it will require them to manually write the rules instead of letting Kerio do it. The only problem with this is that a beginner might not click on Customize to see what ports the app is trying to use, and therefore at a later point in time may implement the Block Proxy rule and have all the applications not function.

As to the placement of Loopback. Yes putting Loopback below the block Proxy rule does make sense that is if you are using a wide open proxy rule that is 127.0.0.1:any port. There would be no way of stopping 127.0.0.1:8080 in that sense. You would also have to create the IE Cache rule if you follow the placement of the open proxy rule below the block proxy rule. So by splitting the loopback into two rules into the port ranges, leaving 8080 out, you eliminate the need for the IE Cache rule as IE will go to the loopback rules for its Cache. You are also protected from apps piggybacking the proxy....because there is no rule created for 127.0.0.1:8080 any application and therefore Kerio must prompt for each application asking to get out.

Bowserman
join:2003-04-15
Australia

Bowserman to gt7697c

Member

to gt7697c
Thanks for the info GT. Understand completely now what others were referring to earlier in this thread regarding different loopback rules;).

This is going to be a very good thread, and I can see it being referred to by many. Now and in the future.

Many thanks, Jade.

gt7697c
Premium Member
join:2001-02-16
The Hive

gt7697c

Premium Member

Click for full size
Here are two additional rules for Win 2k.

They were created due to this site:
»nanoprobe.grc.com/x/ne.d ··· bh0bkyd2

I would recommend that after you have your firewall configured either based on the example rule sets or your own design that you go to a test site to make sure it is configured correctly.

HTH.:)

Zupe
MVM
join:2001-11-29
New York, NY

Zupe

MVM

Click for full size
Just a suggestion once your ruleset is pretty much setup. You may consider adding a block all inbound rule, with logging turned on, as the last rule in your ruleset. This keeps you from having to add individual block rules, like the last two gt7697c suggested, and will keep you from getting a popup every time someone does a random port scan or anything of that nature. If it does somehow block something you need to allow, you can just check your logs for the necessary information. As can be seen in some of the other rulesets posted above, some people actually do this for both inbound and outbound, but I find that most of the time if I get a popup from Kerio for something outbound, it's something I need to either create a rule for (i.e. a new program) or adjust a rule for, so I want to see those popups.