BlitzenZeus
Burnt Out Cynic
Premium,MVM
join:2000-01-13
Beaverton, OR
 ·Verizon FIOS
 ·Verizon Online DSL
1 edit | reply to BlitzenZeus
Re: BZ Kerio 2x Default Replacement Update
BZ Kerio 2x Default Replacement Update
This is not provided to help you learn how to use the firewall by any means, but only replacement from the default rules. If you need help configuring it for your system make a new thread please since it applies to your configuration. Do not e-mail, or IM me about any questions please.
Changes:
There have been a few major changes, but nothing to make you want to start all over again unless you really want to. You can look over the ruleset, and compare it to the previous version to see if you want to make those changes yourself. Please don't ask how to make those changes in this thread as much of it is basic operation of how to use the program.
Pre-Download:
If you use a router, make sure you know the ip address of your router before you do any of this, and if you don't know the ip address of your router you need to check your manual or ask in the forum for your hardware.
For Lan configurations, there are a few predefined rules, but they are not guaranteed to work for your setup so you should know what you need to allow for your network. I have setup the lan rules very loose so you will have to secure them later as they were meant to work for most configurations.
4x
I will do little to no support with these rules in 4x, with 4x released too early as final release its still very buggy, and many of its settings are conflicting. It also has a huge problem with not logging events. While people can import this into 4x, the only thing I suggest is seeing this thread on disabling the simple settings as much as possible.
»[Kerio] 4x Turn this back into a real rule based firewall!
Basic steps:
-Download Kerio 2.1.5, and this replacement.
-Disconnect from the internet, pull the cat5 cable(s) if you have to. Make sure that you will not be automatically connected to the internet again after you reboot, otherwise your system will not be protected. It is also advisable you disconnect from any lan your connected to.(This might make your boot longer since your computer might try to get a dhcp response that it won't get until you reconnect your cables).
-Uninstall any other firewall you have on the system completely, but keep the install around if something happens. Reboot.
-Install Kerio 2.1.5, and reboot.
-Save the default rules, and then Load the downloaded ruleset in the miscellaneous tab of the administration.
-After you have configured the rules with the information you have offline for things like your router, then connect, and start customizing your rules.
Where you Load, or Save your ruleset
Custom IP Blocking:
This is offered as an example, instead of blocking a ip address like the two above rules, or range in a rule you can use the custom address group so you only need one blocking rule. This way you just add the address, or range to the custom address group. This is not an excuse to not use your hosts file, but for sites might be called by ip address which bypass your hosts file. If you don't know what your hosts file is, that is something to you can ask the security forum.
If you choose to use this, obviously don't use the custom address group for your dns rules.
Custom Address Group
Router:
If you have a router make sure the Router Configuration rule is configured with the correct ip address, and then enable the rule.
Lan Rules:
These will not work for all setups, but you can edit them for your needs.
Known Lan Broadcast
This might not apply to your lan, you can always edit, or delete the rule.
Lan Range Bypass
There are rules for two common ranges, and you should know which range your lan runs on. Its suggested you edit the range to only the used ip addresses, or make separate rules per machine.
DHCP Host - Lans run on Dynamic addressing, and ICS
If the computer Kerio is installed on provides dhcp for other computers on the network then you need to enable the DHCP Host rule, and your other lan rules will allow DHCP reply for allowed local ip ranges. If you use ICS, and kerio is installed on the host machine you must have this rule enabled.
ICS Configurations:
If this machine will be a ICS host, then you should check the 'Is Running on Internet Gateway' option, uncheck 'Log Packets Addressed to Unopened Port, and uncheck 'Log suspicious Packets in the miscellaneous area under advanced. While using an ICS configurations with the gateway option checked you must use a block all inbound rule at the end of your ruleset. In some cases it was possible to do it without check the option, but lets just do it this way so it should work. You will have to use your block all inbound rule now to drop packets to unopened ports instead of sending a closed reply if you rules don't block it first. As far as open connections go, your rules will still apply. You might have to check your logs for connections that are not working among the blocked probes.
Loopback:
The standard loopback allows all traffic with the localhost loopback, and if you use a software proxy you will want to configure the port ranges to exclude any ports used for software proxies, which you will have to make allow rules per program so you don't have the proxy be a hole in your firewall. You can also make separate rules for programs that require loopback access, and not use any general loopback rules.
Proxy Loopback
Here is a link to help with software proxy configurations.
»[Kerio] Generic Rule Set for Kerio (Proxy and no Proxy)
DHCP:
If your on broadband you most likely use DHCP, even if its provided by your router, or another machine on your lan. If you use dial-up, you don't use dhcp, and you can uncheck the unrestricted DHCP rule.
Routers, and Lans
If your computer gets its connection from a router, or another machine on the lan then the router or lan rules should already allow this. You should be able to disable the the unrestricted dhcp rule without assigning a dhcp server.
Often the DHCP server in your ip configuration is correct, however at times its not. The unrestricted rule is logging for a reason, when your connection is active, release, and renew your connection. The server in the logs is the server you want to use in the Custom DHCP rule. After you put that server in the assigned rule, disable the Unrestricted DHCP rule.
If you don't know how to release/renew your connection if you need to, see ip configuration below.
Assigned DHCP
DNS:
This is required for everything, when you try to visit www.site.com, this is how your computer figures out which numbered ip address belongs to that name. You can simply just open your ip configuration, the put those dns servers in your rules. Once you specify your dns servers disable the unrestricted rule. If you don't know how find the ip configuration information, see below.
As a note, the Unrestricted DNS rule is logging, to be an incentive to actually configure the DNS settings. If you find that your getting alerts from the Custom DNS Alert rule, make sure that the servers are in your ip configuration before adding adding them to your rules. If you have multiple providers, or a provider that rotates it might be easier to use the custom address group. You can make more dns rules, even use ip ranges, but don't leave gaps in the addresses. If they are not right next to each other than make a rule for each one if you do it that way.
If you do use the custom address group, do not use the custom ip blocking at the same time since that will kill your dns communications.
Assigned DNS
ICMP:
This ICMP is pre-configured for most uses, and if you want others to ping you, all you have to do is enable the In ICMP 8 Inbound Ping/Trace rule.
Various Blocking Rules:
Verisign DNS Abuse: With the recent abusive behavior of the verisign corporation they have disrupted many internet protocols, so this will help restore you connection to as normal as possible by blocking a couple key ip addresses.
IGMP: Used for lans, the lan bypass rules, and router rule would cover this if really needed.
IPv6: Yet another recent scan of computers looking for others with IPv6 working, 99% of normal users won't have to deal with IPv6.
NetBios Block: Your lan rules should permit the communications you need, and netbios should have nothing to do with internet communications.
Windows Services Block: This blocks standard NT services which should have nothing to do with the internet.
Local Ports Block: The lower standard ports are being scanned recently, so this was added. Its possible this will block real traffic, so you can edit the port range, or disable the rule if you really need to.
Block all rules:
When you starting making your own rules, make sure they are above the block all rules, and in most cases if you need to use them, you only need to use the Block all inbound rule. Like it was said above, you will need to use the inbound rule when your machine is the ICS host.
Applications always above the block all rules
IP configuration:
In 9x/ME systems the command is winipcfg which you can run from the start menu, and it is GUI based.
In NT based systems, open the command prompt, and the program is 'ipconfig'. Type 'ipconfig /?' to see its commands.
If you need help with either of these programs ask in The Microsoft Forum please.
DOWNLOAD:
The download contains two versions, the standard version which is what we talked about in this thread, and the advanced version.
 Download BZ Kerio 2x Default Replacement Update 2
This Default Replacement has been Updated:
Downloas the Final Version of this Default Replacement
Information on last release
Advanced version
Anybody who feels they know enough of rule based firewalls to use the advanced version should be able to make their own rulesets already. Rules to control your lan via subnets, and anti-spoofing rules are in this version. Less support will be provided for the advanced version since the users should know what they are doing.
Advanced Additions
If you have any questions
Please do not ask any questions about your configuration, do not post any screenshots of your configuration, and consider that this is an option I am providing to be more secure from the beginning. Only questions about this default configuration directly please, and please keep those questions in this thread. No IM's, or e-mail please. When you start your own thread for questions about your custom configuration, it would be helpful to mention that you started using my default replacement ruleset, and which version. This is the second update.
You can incorporate these rules into your own ruleset if you like, but please understand what they do before you do. Copying others rules might not help when you don't understand what your permitting.
The intent of this thread is not how to teach you how to use the firewall, that is something which takes experience, and knowledge as Kerio is far from Plug n Pray. This thread merely is providing a ruleset which is more secure than the default ruleset provided with Kerio. You still have to setup your own rules, learn how to use the program correctly, and by no means is this configuration guaranteed to work for everybody.
I thank Gwion for his assistance on this project 
--
My hourly rates:
$25 per hour.
$35 per hour if you want to watch.
$45 per hour if you want to help.
$75 per hour if you tried to fix it, and failed.
[text was edited by author 2003-09-21 05:56:20] |
