Kerio Personal Firewall includes several predefined rules. These rules are independent from individual applications (they are applied globally). User decides whether individual predefined rules will be used or not. These rules can be modified.
Predefined rules for network traffic can be found in the Predefined tab of the Network Securitysection.
Rules in this tab cannot be added nor removed. Actions for Trusted area and the Internet can be set for each rule. To switch between actions (Permit/Deny) click on a corresponding field.
Note: The Ask action (asking user whether the traffic will be allowed or not — see chapters 7.2. Rules for Applications and 5.2. Connection Alert (unknown traffic detection)) is not available for predefined rules.
Check/uncheck the Enable predefined network security option to enable/disable predefined rules for network communication. If this option is not checked, predefined rules are ignored and Kerio Personal Firewall uses only application rules (see chapter 7.2. Rules for Applications) and advanced packet filter rules (see chapter 8. Advanced Packet Filter).
Use the button to restore actions for predefined rules to default values.
Brief descriptions on predefined network security rules are provided in this section.
- Internet Group Management Protocol
The IGMP used for subscription or unsubscription to/from groups of multicast users. This protocol can be misused easily and that is why it is disabled by default. We recommend you not to enable this protocol unless you run applications which use multicast technologies (typically for transmission of audio or video data through the Internet).
- Ping and Tracert in, Ping and Tracert out
Programs Ping and Tracert (Traceroute) are used to trace route in a network (to detect response of a remote computer). This is achieved through messages of ICMP (Internet Control Message Protocol).
First, a possible attacker tests whether as elected IP address responds to control messages. Blocking these messages will make your computer “invisible” and reduces chance of possible intrusions.
All incoming Ping and Tracert messages (from the Internet) are blocked by default. These messages are allowed from the trusted area (administrator can for example test availability of a computer by the Ping command).
Outgoing Ping and Tracert messages are permitted for both areas. These methods are usually used to verify network connection functionality or availability of a remote computer.
- Other ICMP packets
Rule for other ICMP messages (i.e. redirections, destination is not available, etc.)
- Dynamic Host Configuration Protocol
DHCP is used for automatic definition of TCP/IP parameters (IP address, network mask, default gateway, etc.).
Warning: DHCP denial might cause that network connection of your computer will not work if TCP/IP parameters are defined through this protocol.
- Domain Name System
DNS is used for translation of computer names to IP addresses. At least one connection to a DNS server must be permitted to enable definition through DNS names.
- Virtual Private Network
Virtual private network (VPN) is a secure connection of two local networks (or connection of a remote client to a local network) via the Internet using an encrypted channel (so called tunnel). The Virtual Private Network rule allows/denies VPN establishment through the PPTP protocol (Microsoft's proprietary protocol).
- Broadcasts
Rules for packets with general address. In the Internet, this rule is also applied on packets with multicast addresses.