It has been a while since anyone last tried to post a Generic Rule set for Kerio or a supplement to the FAQ.
So I thought I would try my hand at creating a generic rule set for new users to get an idea and an understanding of what a decent full (or some what full) rule set looks like. (Not that anyones rule set is bad. It is just that most of us, me included, have more mature rule sets and it is hard for the new users to grasp what we are doing or what we are trying to do. Conversely it is hard for us to grasp what a new user is doing because the format of the Rule set may be causing the problem, thereby requiring some fancy foot work on our part to try and fix it.)
(If you use a Router the IP of the router is generally 192.168.0.1 or 192.168.1.1 or 10.x.x.x make changes if you need to to applicable rules. If you don't use a Router you may have to use your ISP's DHCP Server unless you have a Static IP.)
DHCP is required if you use it. It is a good idea to tie the IP of your DHCP Server to your DHCP Rule. Doing so will enforce that your system gets its IP from only the Authorized DHCP server in the rule. My rule is tied to my DHCP server.
DNS you need to surf the net. In my case DNS is supplied by my DHCP server, in many cases this will not be true. However, on my XP system even using my router I still have to enter the DNS servers of my ISP. So before you create the rule get the DNS servers that your ISP uses written down, then create the rule that you may need.
ICMP generally means pingable. You need the ICMP rules setup to be pingable or to not be pingable. If you follow the FAQ then you will not be pingable, but you will be able to use the tools like ping and tracert. To be pingable simply create the rule that I call my ICMP LAN rule and then tie it to what ever IPs you need to be pingable to, like maybe your other LAN machines or maybe to your ISP so that tech support can help you trouble shoot your DSL/Cable modem.
Now for the Kill all ICMP rule, you need to make sure you set Kerio up so that it Kills all ICMP codes otherwise the Kill All ICMP rule will only kill only the known codes not the malformed ones. (Just look at the screen shot.) If you won't to block by protocol then you may want to use the ICMP -1 method mentioned the FAQ.
To set up ICMP select from Protocol ICMP and then select Set ICMP and finally select the ICMP that you want....you want what I have in the screen shots.
Loopback is a rule that allows your local machine (localhost or 127.0.01) to talk to itself. What I have are special loopback rules. This is because I use a proxy. If you don't use a proxy then you can use just one loopback rule. To setup just one loopback rule follow the
FAQ or look at the No Proxy Screen shot.
IGMP (Internet Group Management Protocol) unless your network needs it block it. Hackers can exploit it and hang your ultra fast system. IGMP is blocked by selecting for Protocol Other and then typing in 2.
NetBIOS if your network does not need NetBIOS then you want to block it as well as turn it off. Typically NetBIOS is ports 137, 138, 139.
Epmap is another special case rule, and can cause problems if you don't need it block it. Typically it uses port 135.
Microsoft-DS or SMB again if you don't need it block it. XP has this as well and it is simply another incarnation of NetBIOS 137,138,139. Even if you disable NetBIOS this may persist so just block it. Typically it uses 445.
SSDP(Simple Service Discovery Protocol) Good idea to disable this in XP or other Windows O/S or block in Kerio. Typically it uses 1900.
Generic Host Process for Windows this is svhost and rather than input all the ports the ports it uses I simply put any port for a blanket protection from inbound requests that are not wanted. You can change it block to remote port 5000, or you could combine Epmap and SSDP into this rule if you wanted.
Windows Time Sync this is built in to XP or can be a third party program download for 2k and previous O/Ss. It is a good idea to chain it to a port and an IP. Kerio will prompt for the rule if you delete it and then run the Time Sync program. Kerio may want to create two rules..if it does simply combine them after you have permitted them in Kerio.
Media Player rules are some what picky. The rules that I have are generic enough I believe to allow Media player to work fully. Of course I am using a Proxy, so if you aren't using a proxy then take a look at these
Media Player Rules.
The rules for IE that I have here are for IE to use a Proxy. If you don't use a proxy then you might still want some of the rules so as not to let IE have too much control, and with the main IE rule you would want to limit IE to certain ports like 8080, 80, etc....
IE allow to proxy is needed if you run a proxy. Without that rule IE will not be able to connect to the NET unless you give it permission.
IE Secure Sites this rule allows IE to visit Secure sites and IE uses port
443 to accomplish the visit. You need this rule to do on-line shopping etc....If you don't have a proxy you may want this rule as well so not give IE to much control of the ports it uses. (You could also put a timer on the rule to prevent a significant other from doing on-line shopping, use at your own discretion with that advice.;))
IE FTP this allows IE to download files from FTP that you may visit. To say get Defs for a Virus Scanner or other things......
IE FTP Data Transfer this rule can be complicated. Please see this thread: »
[Kerio] IE FTP Data Transfer Rule Help---> Pleasefor a discussion on it. Suffice it to say if you set the rule up you will need to chain it to the FTP sites you visit. You will need this rule or something similar to it if you disable Enable Folder View (internet options + advanced) in IE and if you are controlling the ports that IE uses. So it will apply to those running a proxy or those who don't use a proxy.
IE Restrict this rule is good for everyone even those that don't use a Proxy. The reason is it enforces all the other IE rules so that IE doesn't bypass those rules.
Block Proxy....this is the other Loopback rule. The reason it is blocked is because Applications like to bypass your firewall if you have a proxy on the system. This rule prevents that from happening. If you don't use a proxy you don't need it.
The Proxomitron is set up as the only way to allow your Browser to surf the net. Instead of giving it unfettered access on any of the ports I chose to chain it to only the ones listed. This will be the same if you use another program that is a proxy.
The Block Proxomitron Rule prevents Inbound connections to be made to the proxy. At one time the rule, since it blocks both directions, may have been used to prevent apps from pretending to be the proxy and connecting out. This can apply to any proxy program.
Windows Explorer does not need to be allowed to the Internet to do its job. There are many exploits that can take advantage of Windows Explorer.
Windows Messenger is a pain in the a$$ even if it is disabled. Short of ripping it from the O/S a nice block will prevent connections to be made either in or out if you don't need it.
It is recommended that you delete the default rules that come with Kerio as they are too weak. The rule set above is a Generic Rule set and is pretty good to get you started or up and running, by no means does it cover everything. Consider it a starting point if you are new to a rules based firewall. (If using 2k some things like Windows will need to be changed to Winnt.) Backup your rule set to a floppy or another location on the HD other than the Kerio Folder. (The reason is if something bad happens you will at least have a quick fix handy.) Block rules should be set to Log and Alert once they are tripped. You should also put an Admin Password on Kerio.
One last point often over looked and seldom talked about, though Gwion and others have tried, is grouping and order. If you notice in both Rule sets the rules follow a progression. There are exceptions to every grouping and I am sure some will spot those exceptions. The reason for grouping the rules has to do with how a rules based firewall reads those rules. I believe Kerio reads from the Top down; if you create a Block rule and then an Allow rule for the same application below the block rule...you may have just blocked that app from connecting to the Internet. Again there are exceptions to grouping...you might be filtering something out etc......
(The last screen shot is a rule set without a proxy or using DHCP. I have left my Router's IP in the DNS because it represents what would be entered if you have your ISP's DNS server. I have decided for these rule sets to leave out filtering of Local Ports as that can lead to problems if you are new to a rule based firewall. Certainly that should be the next step once the rules are up as a way to tighten the firewall up even more, but should be done with great caution. Rules were created on a Win XP pro machine.)
HTH.:)
Any and all comments welcome.:)
Source material for further reading:
1.»Just one example of rules
2.»Security
3.»www.blarp.com/faq/faqman ··· oc=kerio
4.»www.networksorcery.com/e ··· igmp.htm
5.»www.blackviper.com
6.»www.dshield.org/
7.»grc.com
8.»www.iss.net
9.»www.practicallynetworked ··· essagingEdit
fixed a link.
Edit 2
For a new user trying to create rules start with the Higher Rules meaning DNS, DHCP, and ICMP. Then work your way down. Click on the links for more info.
Also added some lines to ICMP and IGMP.
Edit 3
The DHCP rule is not limited to a Router you have on a LAN. Some users may have a direct connect to the internet and may not have a Router. In this case the DHCP rule or rules would be tied to the DHCP Server your ISP uses if you don't have a static IP.