Click to go on to Page 2 of the Rules Explanations

Block Persfw
The Block Kerio rule provides a level of protection against trojans and viruses. It actually blocks the firewall itself from talking to the Internet. Many trojans look for targets of opportunity, and will randomly infect any executable file they can. If that so happens to be your firewall, and since the firewall always trusts itself to access the net, then the trojan could access it too. Also, some trojans may deliberately seek out and attach themselves to the firewall program, with the same results.

Allow Router Solicitation Alternate
Allows your system to send out broadcasts asking for a router, also known as a gateway. A router is what connects groups of computers together; in this case, it is what allows your computer or host to talk to the rest of the Internet. Generally, this rule can be disabled with no ill effect, because most systems get their router through DHCP. However, in order to ensure compatibility with all systems, this by default is enabled. Turn it off unless you know you need it.

Allow DHCP Broadcast
This rule allows your system to transmit packets of data from your port (local port) 68 to the IP address 255.255.255.255 on port 67. This is a special address and these are special ports; DHCP is used to ask your ISP or network for an IP address (and possibly other configuration information, such as routers and DNS servers) when it first starts, and usually while you're online as necessary if your particular setup requires it.

Allow Broadcast
This allows a DHCP server to reply to your system and give it setup information. Normally, this information comes to you on IP address 0.0.0.0, which is yet another special IP address.
Ideally, you would want to Insert a rule above this that allows traffic in both directions, to the IP address of your ISP's DHCP server. That way, you might be able (depending on configuration) be able to disable this and the other DHCP rules. You can get the IP address by emailing or calling your ISP.

Allow Localhost Resolution
Localhost is a special address allowing your own computer to talk to itself. Every Internet capable computer, even one that's not connected at the time being, has a localhost address. The localhost address is 127.0.0.1. (Actually, it has 127.0.0.0 to 127.255.255.255, but for a variety of reasons, 127.0.0.1 is the only one that really matters.) This rule allows your programs to freely send data to and from localhost. This is necessary in order for proxies like Proxomitron, WebWasher, CookieCop, and such to work properly; otherwise, the firewall might try to stop such activity.

Permit DNSKong to 127.0.0.1
As mentioned above, localhost is a special address. DNSKong works by intercepting all DNS requests (which appear as UDP traffic, going to a remote port of 53) and DNSKong then tries to see if the particular domain name is to be blocked or permitted. In an ideal situation, you would want all DNS requests to get passed to DNSKong, and then DNSKong (through it's Proxy DNS feature) would then pass on requests not blocked to your ISP's DNS servers. That way, not even the most cleverly written trojan or worm could evade DNSKong's watchful eye.

Permit DNS to DNS Server x
These six rules allow you to set your system up so that requests to resolve domain names can only be made to servers that you trust, i.e. your ISP's DNS servers. Ideally, if you're running DNSKong, you would want to further restrict these so that only DNSKong can do this. However, since not everyone runs DNSKong, these will allow ANY application to do DNS requests, as long as they are to your trusted DNS servers.
You don't want to use untrustworthy DNS servers because of the possibility that they could return a false IP address. In other words, a malicious DNS server could report a fake IP address, directing your browser to a fake website. This is called DNS hijacking or DNS spoofing, and is covered elsewhere in more detail on this site.
Six DNS servers is a lot. Most ISPs only use three or four, so you can email your ISP and ask for the IP addresses of the DNS servers and edit the rules to use the addresses they give you. Disable any extra Permit DNS to DNS Server rules. You can also put these addresses into DNSKong's Proxy DNS menu, which allows up to five, and then edit the Permit DNS to DNS Server rules to only allow DNSKong to access the trusted addresses, providing some extra protection.
A few giant ISPs, like AOL, have a dozen or more DNS servers, and you get different ones each time you sign on, so you'll have to insert additional rules here if you want this to work. If you use DNSKong's Proxy DNS feature, you'll have to add in the first five from the Proxy DNS menu, and then edit the dnskong.ini file in your Windows folder and add in any additional ones, up to a total of 25.

Block All DNS
Intended to be used in conjunction with the Permit DNS to DNS Server rules above, will deny DNS requests to anything but those trusted DNS servers. Furthermore, if DNSKong is set up for Proxy DNS, only DNSKong will be allowed to do DNS requests.
This can be a real pain to set up, but it does provide a lot of protection.

Permit DNS
This is intened for those of you who don't want to try messing with a proper DNS setup. This is enabled by default: just don't enable the DNS to DNS Server and Block All DNS rules. If you do use the DNS rules above, you can disable this one.

Permit ICMP In
This Permits certain Internet Messaging Control Protocol messages to be received by your system. ICMP provides a number of services to your computer, such as letting you know when a site is out of service.
There are a few kinds of ICMP that, if your computer receives them, will result in a reply being made. Since part of the purpose of a firewall is to "stealth" your presence, this would obviously give away your existence. So this rule, and the one following, allow in only those ICMP types that are really necessary and which don't result in replies, thus revealing the fact that you are online.

Click to go on to Page 2 of the Rules Explanations