Kerio Firewall Config

I tested Kerio Firewall software and find it works very good. The documentation is good, aviable in many languages in separate PDF Files, and with English online help.

The only problem is the documentation is not very explicit about custom rules configuration. And the correct configuration of these rules will be the difference on firewall result.

Kerio Firewall has 3 basic security levels:

1. Deny Unknow.
2. Ask me first.
3. Permit Unknown.

This 3 levels can be set with a right click on firewall icon, and selecting administration item.
The rules setup can be find clicking over "advanced" button. (see Image).

So, if we want to setup our firewall, first we must know some basic of how does firewalls works.

Firewalls will take actions about inet connection based in some rules. The rules are allow or deny actions related to a network specification.

Internet is too big to make a rule for each computer connected to, so we have several solutions to this:

1. The default ALLOW method: This is based in almost all in the inet are friendly, and we want to allow them to connect with us. So the rules are several deny to bad guys and a final rule allowing all the rest.
2. The default DENY method: This is based in almost all in the inet are dangerous, and we dont want them to connect with us. So the rules are several allow to good and know guys and a final rule will deny all the rest.

Returning to Kerio firewall, we find:
Permit Unknow setting is in concordance with the default ALLOW method
(we dont want to use this method) and the
Deny Unknow setting is in concordance with the default DENY method.

To work properly, in both cases the rules MUST be correctly set.

The Ask me first setting is what the Kerio programmers calls Learning mode. When we run in this mode and a connection do not match any rule, the firewall will pop-up a window asking us to allow, deny, or to build a rule. Here is the lack of documentation to correct learn what to do.

When we connect to the internet in this mode we will be prompted to many times and sometimes so fast that we soon switch to Permit Unknow setting, or we add allow rules without checking what we are allowing.

The problem in the last case is the rule set will grow and soon will be impossible to understand for a human. and sure, our computer will allow much more of what we want. So, what's the solution?

We have to build some basic rules allowing normal connections, based in know information. When this is done, we go to the learning mode and run only one internet program (the one we want to use and test how firewall interacts with him). Here now we get prompt to allow, deny or build rules. We can build some general rule and then click on allow. Then check that your application works ok.

Then we must go to the firewall administration setup, click in advanced mode and take a look of what rules where added. We do not want 100 rules for an application, we need only one general rule (or few) for that application.

When this is done, now we start other application we usually run, and start all again. Repeating this we will soon have almost all our programs included in firewall settings, and then we will finally safe switch to Deny Unknow setting.

And no need to touch firewall settings still you dont add some new program that requires specific setup. If you are testing some new program and have problems to make work correctly, you can set Permit Unknow setting, test the application, and only if you decide to keep with that program build a custom rule.

An Example

Here is explained how to configure the firewall for basic operation, and then to use 2 programs:

1. Combat flight simulator.
2. Team speak 2 client.

1/4: basic rules and rules created by getting information

1. Loopback: This allow all connections in our computer (f.e 2 programs in our computer working each other: ftp localhost).
2. Local Network: This allow all connection in the local network, so if you trust in all in your network this is enough. If you do not have local network just do not use this rule.
3. Basic Ping: This is safe and also needed for several applications. Traceroute uses ping, zone.com uses ping to determine latency. But if you dont like pings just change rule to "deny".
4. DNS: This will allow to interact with DNS services.
5. Basic Web,ftp...: This rule will allow you to connect to web sites (http), use ftp client, view secure pages (https), use telnet, mail and chat.

Now we start with some special rule. Before we try to setup a program we have to get all information possible. In this case i will use the example of Combat Flight Simulator.
But the same has te be done for programs like: ICQ, and other instant messengers, Roger Wilco, Battle com, GnuTella and many others that requires be connected to inet.

Surfing in the web we can find 2 documents, from Microsoft, with details about network requeriments to play online: (take a look and then come back hitting the back button of browser, or open links in new window.)

Q240429 - DirectX Ports Required to Play on a NNetwork.
Q159031 - Zone Network Ports Required to Play.<

With both of them we can build the rules 6,7,8 and 9.
Such rules will allow to play any game using DirectX and connect without problem to www.zone.com, allow zone friends and chat. Note that some ports required by zone are in previous rules (ports: 80,443 and 6667, are part of rule 5, "Basic Web, ftp, ....").

2/4: Using learning mode to add a rule. (Team Speak 2 Program)

OK. Appears to be all right to play on the zone. Before that we first try to get working the program TEAM SPEAK 2 using the learning mode. So, we set the firewall in "Ask me first" and we start teams speak program, then we try to connect to the public server 3.

We get 2 alerts:

In both cases we check in "create apropiate filter ..." and the "Permit" (allow) button. Now Teams speak is working fine, i can talk with other people and they can hear me.

Lets take a look in what rules where created by firewall:

So here we can see that 2 new rules are present. They are very similar, only difference is one is a IN rule and other is an OUT rule, both over UDP protocol, so we can transform the first one into this:

This is done by editing the fist one created by the firewall, change the direction to match "Both directions" and then deleting the second rule created by firewall. Also that rule will only work on ANY IP address, port 9700 (that port is where ts public server 3 runs). Taking a look of ts public servers we find that public server 2 and 1 are running on same IP, ports 9600 and 9500, and *maybe* other ts servers on *different* IP will also run ts servers in such ports. So we left the rule in this way...

Now with that rule with can connect to all 3 public servers in TS host, and *maybe* in others servers running in other IP's.

3/4: Using learning mode to add a rule. (CFS 1 running online game - zone.com)

Here we do the same thing as before. Just connect to the zone, maybe some few and persistent UDP packets will ask to allow or deny. click on deny. We can test to send some zone messages, works... Chat in main chat window is normal... so works! We try to join a game... works!

But here we start to get some request to allow TCP and UDP connections fot the program CFS.

we just check in "create apropiate filter ..." and the the Permit button (allow).
Please be sure that the alert is from CFS program, you can see the Icon of the game and the information of the path to the executable file in the alert window. If the alert is other just hit deny, (and no rule creation).

We are in the Ready Room of CFS, we can play and all works fine.
Stop the game and take a look of what rules where created:

Again here we can make 3 rules become only 2 (joining the IN and OUT udp rules into a single one) or a single one, making both protocols (tcp and udp) aviable in both directions.

And here is how we setup such rule

Now we try to HOST a game, this is different from joining, because other players may need some special connection to out computer. Lets try!...

we get some few alerts about tcp, we do the same as before. Really, i dont know why i get that alert, because previous requeriment for DirectX was done in rules 6,7 and 8. But lets allow the asked request. The game is normal, we can host game, play and when we finish we take a look of rules created by firewall

and we transform both rules into a single rule:

Setting the rule in this way:

4/4: Final settings.

But we want to know when somebody is trying to break into computer, so we will add the FINAL DENY RULE. And we check the log box. Optional, we also check the "display alert box..." so, we get a warning on each rule match. Remember that a match on this rule is an unwanted connection, because fails all allowed.

In my personal opinion the "display alert box ..." must be set only when we are testing the firewall. We almost all time don't want to get windows popping-up. Just when you finish testing the firewall and all is working fine, disable this feature and let only the Log box checked.

Here we can see who warnings are displayed:

Please note that the "Learning mode" or "Ask me first" will prompt for you to decide an action ONLY if you receive some connection or packet NOT MATCHING ANY RULE, and now ALL packets will match on our desired rules or if not, in the last default deny. So this last rule makes that the "Learning Mode" work in the same way as "Deny Unknow" setting. If you what to activate the learning mode and get the action prompt back (for example, you want to test or add a program) just disable this rule, un-checking the box at the left of rule name.

Here is what happens when we try a new program with all our settings:

We can see in the upper left side that firewall is in "Ask me first" or "learning mode". At the bottom left side a new application is running (Battle comm). The Warning window pop-up with a a "Denny all rest" rule. At the bottom right side is the details copied to the clipboard to see more details about the warning. WE DO NOT GET THE ASKING ACTION WINDOW.

Here is the complete Rule window: (you can click on each rule name to see his configuration)
Please make de default deny rule the last one, moving the rules with the arrows at the right.

Here is the configuration on the Microsoft local network network:

Final Notes:

The first time a program interact, the md5 cksum is generated and saved. In the future, when those program interacts with the firewall, the KERIO firewall will verify that md5 cksums matches with previous stored.

This is very interesting, because if somebody modify a program (allowed to pass firewall) adding some backdoor, the firewall will recon that modification and give you a warning of the program modification.

To test this i upgrade DirectX 8.0 to last version 8.1. I install the new version, reboot, then star new connection to internet and try to host a CFS 1 game. (that game uses DirectX).

And here is what i get:

Remember that in MISCELLANEOUS options you can save your rules for future use. Or specific setup. This will allow different users have different custom setups. In the MD5 options you can see and verify in any moment application cksums.

CONCLUSIONS:

I easy build all rules in few minutes, Setup is very flexible. I tested the firewall in many Online SCAN pages and pass all test: Trojan, Stealth, basic scan, and others. I think KERIO Firewall works fine and if don't secure your system is because a bad configuration. (for example: thinking that ping is secure, and your system is vulnerable to some kind of allowed ping.)

I can't compare with other windows firewall, so i can't say if this is better or worst. Only i can say it do his work.

The bad side is that the documentation needs to be more complete. And i find that some special stealth scans can detect if a port is open, but is very uncommon scan method.

A complete normal scan of 64000 ports without firewall was done in about 13 seconds. With the firewall one hour was not enough to complete the scan.

You can download the configuration explained here, so you can load into your firewall but: Edit and customize to match your settings and requeriments.!!:
Download File.

This document is free to copy. Here all is free. Just only i ask is to put a link to this original. Or the 83rd squad main page :) 83rd Squadron Home.

P.S.: sorry about mistakes. here no English language domination. But IMHO i think information is above all orthographical rule :).

September 10, 2002 : Release. Write by 83_Col_Matias.
September 11, 2002 : Orthographical review.