Administrator's Guide - Kerio Software Archive
Administrator's Guide - Kerio Software Archive Administrator's Guide - Kerio Software Archive
Traffic Policy Note: Connection cannot be logged for blocking and dropping rules (connection is not even established). The following columns are hidden in the default settings of the Traffic Policy window (for details on showing and hiding columns, see chapter 3.3): Valid on Time interval within which the rule will be valid. Apart from this interval Kerio Control ignores the rule. The special always option can be used to disable the time limitation (it is not displayed in the Traffic Policy dialog). When a denying rule is applied and/or when an allowing rule’s appliance terminates, all active network connections matching the particular rule are closed immediately. Protocol inspector Selection of a protocol inspector that will be applied on all traffic meeting the rule. The menu provides the following options to select from: Figure 7.20 Traffic rule — protocol inspector selection • Default — all necessary protocol inspectors (or inspectors of the services listed in the Service entry) will be applied on traffic meeting this rule. • None — no inspector will be applied (regardless of how services used in the Service item are defined). • Other — selection of a particular inspector which will be applied to traffic meeting this rule (all Kerio Control’s protocol inspectors are available). No other protocol inspector will be applied to the traffic, regardless of settings of services in the Service section. 96
7.4 Basic Traffic Rule Types Do not use this option unless the appropriate traffic rule defines a protocol belonging to the inspector. Functionality of the service might be affected by using an inappropriate inspector. For more information, refer to chapter 7.7. Note: Use the Default option for the Protocol Inspector item if a particular service (see the Service item) is used in the rule definition (the protocol inspector is included in the service definition). 7.4 Basic Traffic Rule Types Kerio Control traffic policy provides a range of network traffic filtering options. In this chapter you will find some rules used to manage standard configurations. Using these examples you can easily create a set of rules for your network configuration. IP Translation (NAT) IP translation (as well as Internet connection sharing) is a term used for the exchange of a private IP address in a packet going out from the local network to the Internet with the IP address of the Internet interface of the Kerio Control host. This technology is used to connect local private networks to the Internet by a single public IP address. The following example shows an appropriate traffic rule: Figure 7.21 A typical traffic rule for NAT (Internet connection sharing) Source The Trusted / Local interfaces group. This group includes all segments of the LAN connected directly to the firewall. If access to the Internet from some segments is supposed to be blocked, the most suitable group to file the interface into is Other interfaces. If the local network consists of cascaded segments (i.e. it includes other routers), it is not necessary to customize the rule in accordance with this fact — it is just necessary to set routing correctly (see chapter 18.1). Destination The Internet interfaces group. With this group, the rule is usable for any type of Internet connection (see chapter 6) and it is not necessary to modify it even it Internet connection is changed. 97
- Page 45 and 46: 4.4 Registration of the product in
- Page 47 and 48: 4.4 Registration of the product in
- Page 49 and 50: 4.6 Subscription / Update Expiratio
- Page 51 and 52: Chapter 5 Network interfaces Kerio
- Page 53 and 54: 5.3 Viewing and editing interfaces
- Page 55 and 56: 5.3 Viewing and editing interfaces
- Page 57 and 58: 5.5 Advanced dial-up settings Figur
- Page 59 and 60: 5.6 Supportive scripts for link con
- Page 61 and 62: 6.1 Persistent connection with a si
- Page 63 and 64: 6.1 Persistent connection with a si
- Page 65 and 66: 6.2 Connection with a single leased
- Page 67 and 68: 6.3 Connection Failover Advanced di
- Page 69 and 70: 6.3 Connection Failover Figure 6.8
- Page 71 and 72: 6.4 Network Load Balancing Note: 1.
- Page 73 and 74: 6.4 Network Load Balancing On the t
- Page 75 and 76: 6.4 Network Load Balancing Hint: Sp
- Page 77 and 78: Chapter 7 Traffic Policy Traffic Ru
- Page 79 and 80: 7.1 Network Rules Wizard Step 4 —
- Page 81 and 82: 7.1 Network Rules Wizard Figure 7.5
- Page 83 and 84: 7.1 Network Rules Wizard Note: In t
- Page 85 and 86: 7.3 Definition of Custom Traffic Ru
- Page 87 and 88: 7.3 Definition of Custom Traffic Ru
- Page 89 and 90: 7.3 Definition of Custom Traffic Ru
- Page 91 and 92: 7.3 Definition of Custom Traffic Ru
- Page 93 and 94: 7.3 Definition of Custom Traffic Ru
- Page 95: 7.3 Definition of Custom Traffic Ru
- Page 99 and 100: 7.4 Basic Traffic Rule Types Figure
- Page 101 and 102: 7.4 Basic Traffic Rule Types Transl
- Page 103 and 104: 7.5 Policy routing 7.5 Policy routi
- Page 105 and 106: 7.6 User accounts and groups in tra
- Page 107 and 108: 7.7 Partial Retirement of Protocol
- Page 109 and 110: 7.8 Use of Full cone NAT as possibl
- Page 111 and 112: 7.9 Media hairpinning the port of t
- Page 113 and 114: 8.1 Network intrusion prevention sy
- Page 115 and 116: 8.1 Network intrusion prevention sy
- Page 117 and 118: 8.2 MAC address filtering Figure 8.
- Page 119 and 120: 8.3 Special Security Settings Anti-
- Page 121 and 122: 8.4 P2P Eliminator Figure 8.5 Detec
- Page 123 and 124: 8.4 P2P Eliminator The Define servi
- Page 125 and 126: 9.1 DNS module of the firewall’s
- Page 127 and 128: 9.1 DNS module Figure 9.2 Editor of
- Page 129 and 130: 9.1 DNS module Figure 9.3 Specific
- Page 131 and 132: 9.2 DHCP server If the Do not forwa
- Page 133 and 134: 9.2 DHCP server Figure 9.5 DHCP ser
- Page 135 and 136: 9.2 DHCP server Figure 9.7 DHCP ser
- Page 137 and 138: 9.2 DHCP server Figure 9.9 DHCP ser
- Page 139 and 140: 9.2 DHCP server Leases IP scopes ca
- Page 141 and 142: 9.2 DHCP server Figure 9.13 DHCP se
- Page 143 and 144: 9.3 Dynamic DNS for public IP addre
- Page 145 and 146: 9.4 Proxy server Proxy Server Confi
7.4 Basic Traffic Rule Types<br />
Do not use this option unless the appropriate traffic rule defines a protocol belonging<br />
to the inspector. Functionality of the service might be affected by using an<br />
inappropriate inspector.<br />
For more information, refer to chapter 7.7.<br />
Note: Use the Default option for the Protocol Inspector item if a particular service (see the<br />
Service item) is used in the rule definition (the protocol inspector is included in the service<br />
definition).<br />
7.4 Basic Traffic Rule Types<br />
<strong>Kerio</strong> Control traffic policy provides a range of network traffic filtering options. In this chapter<br />
you will find some rules used to manage standard configurations. Using these examples you<br />
can easily create a set of rules for your network configuration.<br />
IP Translation (NAT)<br />
IP translation (as well as Internet connection sharing) is a term used for the exchange of a<br />
private IP address in a packet going out from the local network to the Internet with the IP<br />
address of the Internet interface of the <strong>Kerio</strong> Control host. This technology is used to connect<br />
local private networks to the Internet by a single public IP address.<br />
The following example shows an appropriate traffic rule:<br />
Figure 7.21<br />
A typical traffic rule for NAT (Internet connection sharing)<br />
Source<br />
The Trusted / Local interfaces group. This group includes all segments of the LAN<br />
connected directly to the firewall. If access to the Internet from some segments is<br />
supposed to be blocked, the most suitable group to file the interface into is Other interfaces.<br />
If the local network consists of cascaded segments (i.e. it includes other routers), it is not<br />
necessary to customize the rule in accordance with this fact — it is just necessary to set<br />
routing correctly (see chapter 18.1).<br />
Destination<br />
The Internet interfaces group. With this group, the rule is usable for any type of Internet<br />
connection (see chapter 6) and it is not necessary to modify it even it Internet connection<br />
is changed.<br />
97