Configuring traffic rules
Article Number: 1312 | Last Updated: Thu, Jul 21, 2016 1:57 PM
How traffic rules work
Watch the Configuring traffic rules video.
The traffic policy consists of rules ordered by their priority. The rules are processed from the top downwards and the first matched rule is applied. The order of the rules can be changed with the two arrow buttons on the right side of the window, or by dragging the rules within the list.
An implicit rule denying all traffic is shown at the end of the list. This rule cannot be removed. If there is no rule to allow particular network traffic, then the implicit rule will discard the packet.
To control user connections to WWW or FTP servers and filter contents, use the content filter available in Kerio Control for these purposes rather than traffic rules. Read more in the Configuring the Content Filter article.
Configuring traffic rules
If you do not have any traffic rules created in Kerio Control, use the configuration wizard (go to Traffic Rules and click More Actions → Configure in Wizard).
To create your own rules, look at the following examples:
In the default state, Kerio Control denies communication for all services. To create an allowing rule for a service, for example, to allow a user group to use SSH for access to servers in the Internet:
The rule allows your users to use SSH to access servers in the Internet.
To enable all services for Kerio Connect placed in your local network protected by Kerio Control, follow these step:
User accounts and groups in traffic rules
In traffic rules, source/destination can be specified also by user accounts and/or user groups. In the traffic policy, each user account represents the IP address of the host from which a user is connected. This means that the rule is applied to users authenticated at the firewall only (when the user logs out, the rule is not effective any longer):
Enabling certain users to access the Internet
In a private network and with the Internet connection performed through NAT, you can specify which users can access the Internet in the Source item in the NAT rule.
Such rules enable the specified users to connect to the Internet if they authenticate. They need to open the Kerio Control interface's login page manually and authenticate.
With the rule defined, all methods of automatic authentication are ineffective (i.e. redirecting to the login page, NTLM authentication and automatic authentication from defined hosts).
Automatic authentication (redirection to the login page) is performed when the connection to the Internet is established. This NAT rule blocks any connection unless the user is authenticated.
Enabling automatic authentication
The automatic user authentication issue can be solved as follows:
Users who are not yet authenticated and attempt to open a web site are automatically redirected to the authentication page (or authenticated by NTLM, or logged in from the corresponding host). After a successful authentication, users specified in the NAT rule (see figure These traffic rules enable automatic redirection to the login page) will be allowed to access other Internet services. Users not specified in the rules will be disallowed to access any web site or/and other Internet services.
In this example, it is assumed that client hosts use the Kerio Control DNS Forwarder or local DNS server (traffic must be allowed for the DNS server). If the client stations use a DNS server in the Internet, you must include the DNS service in the rule which allows unlimited Internet access.
Demilitarized zone (DMZ)
This topic is covered in a special article: Configuring demilitarized zone (DMZ).
This topic is covered in a special article: Configuring policy routing.
Enabling protocol inspection on traffic rules
Kerio Control includes protocol inspectors that monitor all traffic on application protocols, such as HTTP, FTP. The inspectors filter the communication or adapt the firewall's behavior according to the protocol type. For more details, read Protocol inspection in Kerio Control.