1-888-77-Kerio
Home » Categories » Kerio Control » Traffic rules
Icon Printer Icon Email      Icon Twitter Icon Digg Icon Stumbleupon Icon de.icio.us Icon FaceBook

Configuring traffic rules

How traffic rules work

Watch the Configuring traffic rules video.

The traffic policy consists of rules ordered by their priority. The rules are processed from the top downwards and the first matched rule is applied. The order of the rules can be changed with the two arrow buttons on the right side of the window, or by dragging the rules within the list.

An implicit rule denying all traffic is shown at the end of the list. This rule cannot be removed. If there is no rule to allow particular network traffic, then the implicit rule will discard the packet.

To control user connections to WWW or FTP servers and filter contents, use the content filter available in Kerio Control for these purposes rather than traffic rules. Read more in the Configuring the Content Filter article.

Configuring traffic rules

If you do not have any traffic rules created in Kerio Control, use the configuration wizard (go to Traffic Rules and click More Actions → Configure in Wizard).

Basic traffic rules configured by Wizard

Basic traffic rules configured by Wizard

To create your own rules, look at the following examples:

Generic rule

In the default state, Kerio Control denies communication for all services. To create an allowing rule for a service, for example, to allow a user group to use SSH for access to servers in the Internet:

  1. Go to Traffic Rules in the administration interface.

  2. Click Add.

  3. In the Add New Rule dialog box, type a name for the rule (for example, Allow SSH to a group).

  4. As a rule type, select Generic.

    Image
  5. Click Next.

  6. Click Users and Groups.

  7. In the Select Items dialog box, double-click a group (SSH allowed in our case).

    Image
  8. Click Next.

  9. Select Interfaces.

  10. In the Select Items dialog box, selectInternet Interfaces.

  11. Click Next.

  12. Click Services.

  13. In the Select Items dialog box, double-clickSSH.

The rule allows your users to use SSH to access servers in the Internet.

Image

Port mapping

To enable all services for Kerio Connect placed in your local network protected by Kerio Control, follow these step:

  1. In the administration interface, go to Traffic Rules.

  2. Click Add.

  3. In the Add New Rule wizard, type a name of the rule.

  4. Select Port mapping.

  5. In the Host field, type the hostname or IP address of the SMTP server placed in your local network.

  6. Next to the Service field, clickSelect.

  7. In the Select Items dialog, check theKerio Connect services group (see figure Adding a service group).

    Adding a service group

    Adding a service group

  8. Click Finish.

  9. Move the rule to the top of the table of traffic rules.

Other examples

User accounts and groups in traffic rules

In traffic rules, source/destination can be specified also by user accounts and/or user groups. In the traffic policy, each user account represents the IP address of the host from which a user is connected. This means that the rule is applied to users authenticated at the firewall only (when the user logs out, the rule is not effective any longer):

Enabling certain users to access the Internet

In a private network and with the Internet connection performed through NAT, you can specify which users can access the Internet in the Source item in the NAT rule.

This traffic rule allows only selected users to connect to the Internet

This traffic rule allows only selected users to connect to the Internet

Such rules enable the specified users to connect to the Internet if they authenticate. They need to open the Kerio Control interface's login page manually and authenticate.

With the rule defined, all methods of automatic authentication are ineffective (i.e. redirecting to the login page, NTLM authentication and automatic authentication from defined hosts).

Automatic authentication (redirection to the login page) is performed when the connection to the Internet is established. This NAT rule blocks any connection unless the user is authenticated.

Enabling automatic authentication

The automatic user authentication issue can be solved as follows:

  1. Add a rule allowing an unlimited access to the HTTP service and place it before the NAT rule.

    These traffic rules enable automatic redirection to the login page

    These traffic rules enable automatic redirection to the login page

  2. In Content Rules, allow specific users to access any web site and deny any access to other users.

    These URL rules enable specified users to access any Web site

    These URL rules enable specified users to access any Web site

Users who are not yet authenticated and attempt to open a web site are automatically redirected to the authentication page (or authenticated by NTLM, or logged in from the corresponding host). After a successful authentication, users specified in the NAT rule (see figure These traffic rules enable automatic redirection to the login page) will be allowed to access other Internet services. Users not specified in the rules will be disallowed to access any web site or/and other Internet services.

In this example, it is assumed that client hosts use the Kerio Control DNS Forwarder or local DNS server (traffic must be allowed for the DNS server). If the client stations use a DNS server in the Internet, you must include the DNS service in the rule which allows unlimited Internet access.

Demilitarized zone (DMZ)

This topic is covered in a special article: Configuring demilitarized zone (DMZ).

Policy routing

This topic is covered in a special article: Configuring policy routing.

Enabling protocol inspection on traffic rules

Kerio Control includes protocol inspectors that monitor all traffic on application protocols, such as HTTP, FTP. The inspectors filter the communication or adapt the firewall's behavior according to the protocol type. For more details, read Protocol inspection in Kerio Control.

 

  1. In the administration interface, go to Traffic Rules.

  2. Right-click a table header and select Columns → Inspector.

  3. In a particular rule, double-click the Inspectorcolumn and select the appropriate protocol inspector.

    Each inspector should be used for the appropriate service only. Functionality of the service might be affected by using an inappropriate inspector.

  4. Click Apply.


comments powered by Disqus