KPF General Rule Sets

From: taharka (taharka@HotPOP.com)
Date: 04/25/02 

From: taharka <taharka@HotPOP.com>
Date: Thu, 25 Apr 2002 12:25:34 GMT

KPF FAQ

GENERAL RULE SETS
--------------------------------------------------------------------------------

1. What are some basic set of rules for kPF?

loopback rule isn't needed anymore unless you use apps that use loopback
check answer #19 for more info loopback info

(Notify) means => Display alert box (checkbox).
(Logged) means => Log when this tule match (checkbox).

Notes:

Rule 1 is your NetBIOS blocks. Enter them as displayed. Even if you have
removed NetBIOS from your Network applet, these will serve to "Notify" you
of any attempts. (Of course, this assumes you are NOT legitimately using
NetBIOS on your system.)

Rule 2 - 4 allow any application to connect to your Domain Name Servers. If
your ISP uses 4 different servers, yours may add and use more or less.

Rule 5 - 7 are the balance of the ICMP rules.

Rule 8 loopback rule to 127.0.0.1 (your computer) for Internet Explorer's
cache.

Rule 9 - 10 are the "application specific" rules. only Internet Explorer
and Outlook Express are given as examples
In general, you'll write one or two rules for each application that you
want to access the internet.
for some common applications rules check here

Rule 11 is the "Block Everything" rule. Enter it as shown but don't enable
it until all of the "kinks" are out of your ruleset. Let the Rule Assistant
(ask for action when no rule is found) work for you to show you where
problems are occurring.

RULE 1:

Description: Block Inbound/outbound NetBIOS TCP UDP (Notify)
Protocol: TCP and UDP
Direction: Incoming/outgoing
Port type: Port/Range
First Port: 137
Last Port: 139
Local App.: Any
Remote Address Type: Any
Port type: port/range
First Port: 137
Last Port: 139
Action DENY

= = = = = = = = = = = = = = = =
RULE 2:

Description: ISP Domain Name Server Any App UDP
Protocol: UDP
Direction: Both
Local Port: Any
Local App.: Any
Remote Address Type: Single
Host address: (Your ISP DNS) IP number
Port type: Single
Port number: 53
Action PERMIT

= = = = = = = = = = = = = = = =
Rule 3:

Dsecription: Secondary DNS ISP address
Protocol: UDP
Direction: Both
Local Port: Any
Local App.: Any
Remote Address Type: Single
Host address: (secondary ISP DNS) IP number
Port type: Single
Port number: 53
Action PERMIT
= = = = = = = = = = = = = = = =
Rule 4:

Description: Other DNS
Protocol: TCP and UDP
Direction: Both
Local Port: Any
Local App.: Any
Remote Address Type: Any
Port type: Single
Port number: 53
Action DENY

= = = = = = = = = = = = = = = =
RULE 5:

Description: Out Needed To Ping And TraceRoute Others
Protocol: ICMP
Direction: Outgoing
ICMP Type: Echo Request
Remote Endpoint: Any
Action PERMIT

= = = = = = = = = = = = = = = =
RULE 6:

Description: In Needed To Ping And TraceRoute Others
Protocol: ICMP
Direction: Incoming
ICMP Type: Echo Reply, Destination Unreachable, Time
Exceeded
Remote Endpoint: Any
Action PERMIT

= = = = = = = = = = = = = = = =
RULE 7:

Description: Block ICMP (Logged)
Protocol: ICMP
Direction: Both
ICMP Type: Select All
Remote Endpoint: Any
Action: DENY

= = = = = = = = = = = = = = = =
RULE 8:

Description: IE Cache
Protocol: UDP
Direction: Outgoing
Port type: Any
Local App: Only selected below => iexplore.exe
Remote Address Type: Single address => 127.0.0.1
Port type: Any
Action PERMIT

= = = = = = = = = = = = = = = =
RULE 9:

Description: Internet Explorer-Web browsing
Protocol: TCP
Direction: Outgoing
Port type: Any
Local App.: Only selected below => iexplore.exe
Remote Address Type: Any
Port type: List of ports
List of ports: 80,8080,3128,443,20,21
Action PERMIT

= = = = = = = = = = = = = = = =
RULE 10:

Description: Outlook Express
Protocol: TCP
Direction: Outgoing
Port type: Any
Local App.: Only selected below => msimn.exe
Remote Address Type: Any
Port type: List of ports
List of ports: 25,110,119,143
Action PERMIT

= = = = = = = = = = = = = = = =
RULE 11:

Description: Block Incoming/Outbound Unauthorized Apps(Notify)
Protocol: Any
Direction: Incoming/Outgoing
Port type: Any
Local App.: Any
Remote Address Type: Any
Port type: Any
Action DENY

If you are on a LAN you might need to allow NetBIOS to and from computers
on your LAN. You should insert two rules before rule 1:

RULE a:

Description: Trusted Inbound NetBIOS TCP UDP
Protocol: TCP and UDP
Direction: Incoming
Port type: Port/Range
First Port: 137
Last Port: 139
Local App.: Any
Remote Address Type: Trusted Address Group
Port type: Any
Action PERMIT

= = = = = = = = = = = = = = = =
RULE b:

Description: Trusted Outbound NetBIOS TCP UDP
Protocol: TCP and UDP
Direction: Outgoing
Local Port: Any
Local App.: Any
Remote Address Type: Trusted Address Group
Port type: Port/Range
First Port: 137
Last Port: 139
Action PERMIT

= = = = = = = = = = = = = = = =

And you should enter your local IP addresses in the Trusted Address Group
list.
***thanks to Pete Repete for updating the rule list***

--------------------------------------------------------------------------------

2. ICMP router solicitation to 224.0.0.2?
The ICMP router discovery messages are called "Router Advertisements" and
"Router Solicitations". Each router periodically multicasts a Router
Advertisement from each of its multicast interfaces, announcing the IP
address(es) of that interface. Hosts discover the addresses of their
neighboring routers simply by listening for advertisements. When a host
attached to a multicast link starts up, it may multicast a Router
Solicitation to ask for immediate advertisements, rather than waiting for
the next periodic ones to arrive; if (and only if) no advertisements are
forthcoming, the host may retransmit the solicitation a small number of
times, but then must desist from sending any more solicitations. Any
routers that subsequently start up, or that were not discovered because of
packet loss or temporary link partitioning, are eventually discovered by
reception of their periodic (unsolicited) advertisements. So don't worry to
permit this. source: Tomas Soukup

--------------------------------------------------------------------------------

3. How do I backup the rules?
persfw.conf - contains rules stat.conf - status window settings persfw.key
is not needed (will be renewed if its missing) If you also want to backup
log, you will need filter.log.idx and filter.log files (both!). source:
Tomas Soukup

--------------------------------------------------------------------------------

4. How do I get the time intervals to work?

Open Administration.
Click Advanced.
Select a rule and click Edit.

There HAS to be a list box titled "Rule valid" which is set to "Always"
initially. It's near the bottom of this dialog box, over the "Action" group
box and the Log/Alert checkboxes you already described.

Just change it from "Always" to "In this interval only."

source: baley

--------------------------------------------------------------------------------

5. Does the placement of a rule ahead of another rule gives it priority
over the second?
Yes, Tiny tests each request for connection against the rules from the top
down until it finds one that matches. No further rules are checked.

--------------------------------------------------------------------------------

6. What are the Hotmail servers?
64.4.52.7 64.4.53.7 64.4.54.7 64.4.43.7 64.4.44.7 64.4.45.7

--------------------------------------------------------------------------------

7. How do I move rules up and down?
You can move rules by using the arrows at the rigth side of the rules
screen. You can also "insert" rules above the selected one by selecting
"insert" button.

--------------------------------------------------------------------------------

8. What does the "network mask" do?

The network mask is basically a way for you to allow/or deny multiple ip's
without having to specify each of them.

The way it works (to my knowledge) is like this:

Say you wanted a rule that would allow any IP that started with
111.222.111.xxx

What you would do would be to create a rule allowing 111.222.111.0 and a
netmask of 255.255.255.0

Now when you get an IP you want to test to see if it matches your rule, you
take this IP and do a binary AND of it against the netmask. You then
compare this value to the IP in the rule (111.222.111.0). If it's a
match then the rule matches.

An example:
a) The Rule's IP: 111.222.111.0
b)The Rule's Netmask: 255.255.255.0
c) The IP to be tested: 111.222.111.5

First c) is ANDed with b):
111.222.111.5 AND 255.255.255.0

which means: (111 AND 255).(222 AND 255).(111 AND 255).(5 AND 0) (AND is a
bitwise and operation. Look up boolean algebra if you're not familiar with
it)

The result is: 111.222.111.0

which is compared with a) and so it matches.

If you're not familiar with binary/boolean algebra then this might sound
like double dutch I understand ;)

source: Rukh
--------------------------------------------------------------------------------

9. Rules for DHCP
All you need is two or three rules depending on you, since I have a
hardware router some of this rule might sound odd for you. First
find out your DHCP server. In Windows 9x/ME, Start-->Run-->type
in "winipcfg /all" (without quotations). In Windows 2000, Start--
>Programs-->Accessories-->Command Prompt--type in "ipconfig /all"
(without quotations).

Rule #1:
Description: DHCP In/Out
Protocol: UDP
Direction: Both
Local End Port:68
Application: ANY (or your DHCP program)
Remote End Port: 67
Remote Address: DHCP Server IP
Rule Valid: Always
Action: Permit
Logging: None

Rule #2:
Description: DHCP
Protocol: UDP
Direction: Outgoing
Local End Port:68
Application: ANY (or your DHCP program)
Remote End Port: 67
Remote Address: 255.255.255.255
Rule Valid: Always
Action: Permit
Logging: None

After this try to release and renew your IP with Rule Learning thing on
just to make sure the rules work.

source: zyklon

note on some servers it won't let you insert the DHCP sever ip address

"It was not possible to insert my DHCP server's IP address for a
destination. My workstation does a broadcast to 255.255.255.255:67 so a
rule for a specific address was being cuaght by one of the trojan rules. :)
The rule should be any address, port 67."

source: Scott Tyson
--------------------------------------------------------------------------------

10. How to block x10 popup windows?
Place this rule physically before any rule that allows your browser to
access any unlisted website. I list all of my block rules well ahead of my
permit rules. This way Tiny Personal Firewall will
only pass the sites that are not previously blocked.
   Protocol: TCP
   Direction: Both
   Local Port: Any Port
   Application: (your browser's location and filename)
   Remote Endpoint:
      Address Type: Network/Range
      First Address: 64.85.92.0
      Last Address: 64.85.92.63
      Port Type: Single
      Port Number: 80
   Rule Valid: Always
   Action: DENY
   Logging: Check both boxes if you want to see how many ads this is
going to block. Check the "Log when this rule is matched" box to
only read about the blocked ads in your firewall log. After a while
you will probably want to uncheck the box to popup an alert, cause
they will drive you nuttier than the ads they are blocking!

Lastly, you might consider creating this rule as the last rule in
your ruleset:
Permit all TCP and UDP, in both directions, on all endpoint ports,
for your browser(s), with logging checked (but not the popup alert).
This will create a running log of ALL IPs that are called from your
browser as it loads various websites. Clear the log every day after
you read it, making notes of the IPs of know ad servers. That is how
I found the IPs for X10, along with the help of a Whois

source: Bob "Wiz" Feinberg
--------------------------------------------------------------------------------

11. how to set up EnterNet 300
Description: EnterNet 300
Protocol: UDP
Direction: Both
Port type: Single
Port number: 68
Local App.: enternet.exe
Remote Address Type: Single
Host address: 1.1.1.1
Port type: Single
Port number: 67
Action PERMIT

Description: EnterNet 300
Protocol: UDP
Direction: Outgoing
Port type: Port/Range
First Port: 1024
Last Port: 4999
Local App.: enternet.exe
Remote Address Type: Single
Host address: 10.0.0.1
Port type: Single
Port number: 7
Action PERMIT

Description: EnterNet 300
Protocol: UDP
Direction: Outgoing
Port type: Single
Port number: 68
Local App.: enternet.exe
Remote Address Type: Single
Host address: 255.255.255.255
Port type: Single
Port number: 67
Action PERMIT

source: Bill
--------------------------------------------------------------------------------

12. Is there a way to filter out specific IP addresses WITHOUT dening the
entire program (netmeeting, for example)to be allowed to run?
TPF uses a rule list which is examined from the top down to the bottom. by
creating a rule "deny" above your existing "allow all" rule, you can do any
or all of the following
* Block a single address (or range of addresses) from connecting to a named
program
* Block a single address (or range of addresses) from connecting to a
numbered port
* Block a single address (or range of addresses) from connecting at all

This sounds complex, but really isn't.
if you go to your rule list by
1. double-clicking the system tray icon (in the bottom left of the screen)
2. clicking the "advanced" button

you can modify your existing "allow all" rule into a "deny only what I want
to deny" rule. this is the easiest method, as TPF will prompt you to create
another rule for that program when you next use it.

so - locate the rule for that package (netmeeting in this case) and double
click it.

from the top.

"Description" is a short text description of the rule - it defaults to the
name of the program, but you can edit it to make more sense for your new
rule. Try changing the text to "Netmeeting - deny those I wish to block out"

"Protocol" is the protocol for the rule. this is probably currently "TCP".
change this to "TCP and UDP" with the pulldown arrow

"Direction" determines if this applies to the program calling out, other
machines calling in, or both. change it to "both directions"

"local endpoint" this is the port number that the program will use on your
machine. set it to "Any Port"

"Application" This should already be completed to point to Netmeeting -
leave it alone for now. if you wanted to block the users totally from your
machine (instead of just from Netmeeting) you would change this to "any"

Remote Endpoint:
This comes in two flavours - Address and Port

"Remote Endpoint (Address)" - You should change this to either "single
address" (if you are blocking a single IP address) or Network Range (if you
want to block a entire section of IP addresses) A box will appear below this
selector to either type the IP address (do *not* type any leading zeros on
the numbers - so an ip address of 122.054.231.045 should be typed as
122.54.231.45 - there is a good reason for this but nothing you really
should care about) or two boxes for start/stop IP addresses (if you go for
range)

"Remote Endpoint (port)" leave set to "any"

"Rule Valid" lets you set times for the rule to be in action. just leave at
"always" for now

"Action" set to Deny - this changes the rule from "allow this to happen" to
"block this from happening"

Checkboxes - Logging will write a line to a special file whenever this rule
is triggered. Alert will pop a box to the screen when the rule is triggered.
check the box opposite the description if you want either (or both) of these
things to happen, otherwise leave them blank

ok, now hit "ok". you should now have a rule that blocks an IP or block of
IPs from connecting to or being connected to by the program netmeeting.

remember, the highest rule on the list that CAN apply will be used to allow
or deny the connection - you can move the rules up and down so they are in
the order you want them, but you must when planning your rules think from
the top of the list down - if you Deny something that is already permitted
by an earlier rule, your deny will never be used.

source: David Howe
--------------------------------------------------------------------------------

13. What do the different terms mean(Description, Protocol, Remote
Endpoint, Rule Valid and so on) in the popup window when creating a rule
for tiny firewall
"Description" is a short text description of the rule - it defaults to the
name of the program, but you can edit it to make more sense for your new
rule.

"Protocol" is the protocol for the rule.
change this to "TCP and UDP" with the pulldown arrow

"Direction" determines if this applies to the program calling out, other
machines calling in, or both.

"local endpoint" this is the port number that the program will use on your
machine.

"Application" This should already be completed to point to "the name of
application" - leave it alone for now. if you wanted to block the users
totally from your machine (instead of just from "name of application") you
would change this to "any"

Remote Endpoint:
This comes in two flavours - Address and Port

"Remote Endpoint (Address)" - You should change this to either "single
address" (if you are blocking a single IP address) or Network Range (if you
want to block a entire section of IP addresses) A box will appear below this
selector to either type the IP address (do *not* type any leading zeros on
the numbers - so an ip address of 122.054.231.045 should be typed as
122.54.231.45 - there is a good reason for this but nothing you really
should care about) or two boxes for start/stop IP addresses (if you go for
range)

"Remote Endpoint (port)" leave set to "any"

"Rule Valid" lets you set times for the rule to be in action. just leave at
"always" for now

"Action" set to Deny - this changes the rule from "allow this to happen" to
"block this from happening"

Checkboxes - Logging will write a line to a special file whenever this rule
is triggered. Alert will pop a box to the screen when the rule is triggered.
check the box opposite the description if you want either (or both) of these
things to happen, otherwise leave them blank

remember, the highest rule on the list that CAN apply will be used to allow
or deny the connection - you can move the rules up and down so they are in
the order you want them, but you must when planning your rules think from
the top of the list down - if you Deny something that is already permitted
by an earlier rule, your deny will never be used.

source: David Howe
--------------------------------------------------------------------------------

14. Are there any rules that will lock my computer at night if I leave my
connection on all the time?
Here's a simple tip that will lock down your computer at night if you
leave your connection on all the time.

Description: Block All 12am to 7am
Protocol UDP and TCP
Direction: Both
Local Port: Any
Remote Address: Any
Remote Port: Any
Application: Any application
Rule valid: In this interval only
   00:00-06:59 (Mon,Tue,Wed,Thu,Fri,Sat,Sun)
Action: DENY

Put this rule at the very top of the list and set it to log. I told
you it was simple. :) BTW: If you set the time to 07:00, it won't
unblock until 07:01.

source: diskydo
--------------------------------------------------------------------------------

15. Is there a way to export my rules to a file and then import them on
another computer?
Yep just copy persfw.conf and you've got the rules backed up.
Note: Make sure you close TPF before copying fersfw.conf back into your TPF
directory otherwise Tiny will overwrite the file with what ever rules it
currently has loaded into memory.
--------------------------------------------------------------------------------

16. How do i convert the rules to text?
The way to convert the firewall rules into a text readable form - requires a
modification to the registry.
Start the registry editor (start)(run) enter "regedit"

Find the following key:
HKEY_LOCAL_MACHINE\Software\Kerio\Personal Firewall
Click on [edit][new]
Choose "DWORD Value"
Enter "EncrDisabled" as the name of the new key
Click on [edit][modify] and enter "1"(hex) as the value
Reboot
(I also opened the rules and save them after this, although I don't believe
that this was necessary)

Anyway, the rules are now un-encrypted and can be read, printed or
extracted.
Plus some other interesting stuff hidden there.

source: Dennis Webber
--------------------------------------------------------------------------------

17. rules for games.yahoo.com
Here are my rules for Yahoo Games:

Rule Description: Yahoo Games 1
Protocol: TCP
Direction: Outgoing
Application: Your broswer
Remote Host: 209.1.225.0/255.255.255.0
Remote Port: 5001

Rule Description: Yahoo Games 2
Protocol: TCP
Direction: Outgoing
Application: Your broswer
Remote Host: 216.115.111.0/255.255.255.0
Remote Port: 11999
--------------------------------------------------------------------------------

18. Is there a way to backup the ruleset(kerio 2.1.0 beta 5 and up)
>From the Admin menu, select Miscellaneous, click "save" and set the path to
your floppy drive.
--------------------------------------------------------------------------------

19. What Happened to the Loopback rule In Kerio Firewall?
Kerio users will note that the default loopback rule is missing.
Normally, this won't cause you problems, but, if you use apps that keep
asking for loopback,
you can safely add the rule to your set. It's not necessary, or even very
desirable,
to make it your topmost rule, though. Put it below your system rules.

Description: Loopback
Protocol: TCP and UDP
Direction: Both
Local Port: Any
Local App.: Any
Remote Address Type: Single
Host address: 127.0.0.1
Port type: Any
Action PERMIT

There is a hardcoded loopback in Kerio: tcp 127.0.0.1 port 44334

Port 44334 is opened for administration and is guarded internally by
admin<->engine communication protocol. Is true that any application can
connect to 127.0.0.1:44334, but such application cannot do more (because
isn't able to bypass internal security applied on port 44334).
--------------------------------------------------------------------------------

20. How do i reset the rules to the default settings?
Delete persfw.conf and KPF will automaticly generate it's 'default'ruleset
--------------------------------------------------------------------------------

This article at:
http://www.tpffaq.com/cgi-bin/faqmanager.cgi?file=genrules&toc=faq#q1 

-- 
Make my Funk the PFunk
George Clinton/Parliament

Loading