Rules for advanced packet filters can be viewed in the Filter Rules tab of the Advanced Packet Filter dialog window.
Rules are ordered in a list. Anytime a network connection is detected, the list is tested rule by rule from the top downwards and the first rule which the traffic meets is applied. Use the and buttons or Ctrl + up arrow and Ctrl + down arrow key combinations to reorder the list according to your liking and needs. More complex combinations of filtering rules can be defined thanks to these features.
Packet filter rules can be optionally classified by groups. Participation of a rule in a group does not influence the system of rule appliance since rules in all groups are always tested. This implies that these groups are for reference only. Rule groups are displayed on the left of the Filter Rules tab.
Click on a group name to view the list of rules included in the group.
The following two groups are predefined and they cannot be removed:
All rules (“parent group”) — includes all packet filter rules
Default — includes all rules which have not been added into another group.
Note: Groups of rules cannot be created nor removed explicitly. New groups can be created by entering a new group name during a rule definition. Groups are removed automatically when the last rule is removed.
Use the following buttons below the group list to handle packet filter rules:
— opens dialog for modification of a selected rule (this dialog can also be opened by double-clicking on a selected rule)
— adds a new rule to the end of the list
— inserts a selected rule to the current position (this rule will precede a marked rule)
— removes a selected rule
Notes:
If no rule is selected, only the button is available.
Hold down the Ctrl or the Shift key to select multiple rules. Groups of rules selected in this way can only be moved or deleted. Use the button to edit the first selected rule (at the top). The button inserts a new rule before the first rule of a particular group.
Clicking on the , or button opens a dialog for definition of a packet filter rule. A rule is defined by the following parameters:
- Description
Rule description/name. We recommend you to insert a brief rule description (purpose, application name, etc.). This description is used for your reference only. The name of a particular local application which participates in the communication is inserted for automatically generated rules.
- Application
Local application to which the rule is applied. This application can be either inserted by hand (full path to a corresponding executable file), selected from a menu (menu of applications used for other rules is offered) or searched on the disc (use the button to open a standard system dialog from which an application can be run).
You can also create a general filtering rule which will be applied on all applications. This can be done through the any option or by leaving the Application item blank.
- Group
Rule group in which the rule will be included. Participation of a rule in a group does not influence the system of rule appliance — the entire rule list is always tested. This implies that these groups are used for reference only.
Use the Group item to choose a group from the menu or to add a new group by inserting a new group name — the rule will be automatically included to this group. All rules are added to the Default group by default. The same method is applied on rules which are generated automatically (see above or refer to chapter 5.2. Connection Alert (unknown traffic detection)).
- Log rule to network log
Enables/disables logging of communication meeting this rule into the Network log (see chapter 16.4. Network Log).
- Show alert to user
Check this option to enable the Alert dialog (read more in chapter 5.5. Alert Dialog Window (alerts on events)) whenever traffic meeting this rule is detected.
- Protocol
Set parameters for protocols to which the rule will be applied. Typically, a single protocol is used for traffic (i.e. TCP or UDP, however, some applications use multiple protocols concurrently (i.e. TCP and UDP using the same ports).
If we leave the Protocol entry empty, the rule will be applied to any protocol.
Note: If an application uses TCP and UDP protocols at various ports, two different packet filter rules must be defined.
Click on the or button to open a dialog for protocol definition.
The protocol is specified by a designated number in the IP packet header. This number can be defined directly through the Number entry. Use the Name option to select from a menu of predefined protocols.
You can use the Description text field to enter a description for your reference. It can be viewed in this dialog only.
The Codes item will be available in the dialog if ICMP is selected. Use this entry to specify type of ICMP messages which the rule will be applied on.
Types of messages are defined by number codes (individual codes are separated by comas). If the Codes entry is not specified, the rule will be applied on all types of ICMP messages.
Click on the button to open a special dialog for definition of types of ICMP messages. Select appropriate types of ICMP messages. Click on the button and codes of the types you have defined will be inserted into the Codes entry automatically.
- Local
Specify parameters for the local point. Kerio Personal Firewall uses all local IP addresses implicitly including the loopback IP addresses. For this reason local parameters can be specified only by ports.
Use the button to add a single port (Add port) or a port range (Add port range). Multiple ports and port ranges can be specified — this way any port group can be covered easily.
The port can be specified either by specification of the Number entry (only values included in the
1-65535are valid) or by selection of a predefined service in the Name item. You can use the Description entry to describe the port or the service (for reference only).The dialog for range specification consists of two essential entries: First port (first port in the range) and Last port (last port in the range).
- Remote
Specification of remote point of a connection. IP address, port or both can be specified. The rule will be applied if the packet will contain any of defined IP addresses and one of the defined ports.
Either individual ports (Add port) or a port range (Add port range) can be defined. The dialog is the same as for the Local point — see above.
Use the following methods to specify IP address:
a single IP address (Add address)
IP address range (Add address range) — enter first and last address of the range
subnet (Add address / mask) — specify subnet address and a corresponding mask
IP address group (Add IP group) — use the Select option to select one from the menu of IP addresses defined through the IP Groups tab (see below)
Individual methods can be combined.
- Direction
Direction of the traffic which the rule will be applied to: Both directions, Incoming or Outgoing connection.
Traffic direction is represented by direction of an initial packet which starts the connection.
- Action
Action which will be taken by Kerio Personal Firewall when a connection meeting this rule is detected:
Permit — allows the connection
Deny — blocks the connection
It is important to be aware of how individual parts of a rule and their items are related to be able to define rules effectively.
The logical relations among Protocol, Local and Remote are “and”. This implies that only traffic which meets all the conditions will meet the rule.
The logical relation between items included in one item (protocols, IP addresses and ports) is “or”.
Example: The Remote item consists of two port ranges :
80-88and8000-8080. The rule will be met when a remote port belongs to one of these ranges.The logical relation between the “IP address” and “port” items in the Remote entry is “and”.
Example: The Remote entry is specified by the IP address
65.131.55.1and the port number80. This condition will be met by traffic which includes a remote computer with the IP address65.131.55.1at the port number80.
The Protocol, Local and Remote entries are closely related. A user should follow the following rules to ensure smooth functionality of the rule:
Port definition is helpful only for TCP and UDP protocols (ports are ignored by other protocols).
If the rule is available for any protocol (the Protocol is not specified), then port numbers are not applicable as they are used only for traffic through TCP or UDP protocols.
Application service is specified by port numbers and by protocols. In the packet filter rule dialog, a service is represented by port only — the protocol must be entered by hand.
Example: Suppose we want to create a rule for incoming HTTP connections (i.e. to enable access to a Web server on a computer which is protected by Kerio Personal Firewall), we will take the following steps:
Add port in the Local section. Select the HTTP service — this will automatically set the port value to
80.Go to the Protocol section to set TCP, which is used by the HTTP service.
The most common traffic model is the client to server communication. The server listens on a predefined port for an incoming connection. A client starts the connection by demanding a free local port (an unknown port) from the operating system that will be used for the connection. This implies that, unlike the server port (which must be always known), any free port can be used temporarily for a client.
These facts should be considered during packet filter definition. The problem will be better understood through the two following examples:
Example 1: We intend to enable access to a Web server on a local computer with IP address
60.80.100.120. We can achieve this by definition of the following rule:Protocol —
[6] TCP(HTTP service uses the TCP protocol)Local —
Port: [80] HTTP(Web server runs on a local computer)Remote —
Address: 60.80.100.120(a client represented by a Web browser will be running at a remote host; port is not known yet, that is why we specify the IP address only)
Example 2: We intend to block connections to the Web server with IP address
90.80.70.60. This is how we define the rule:Protocol —
[6] TCPLocal — we leave this entry empty (client port cannot be specified yet)
Remote —
Port: [80] HTTP,Address: 90.80.70.60(specification of the remote server)