Kerio Tech Firewall6 User Manual

7.1 Network Rules Wizard

73

These rules are not created unless the option allowing access to a particular service is

enabled in step 5.

Note: In these rules, value for Source is also set to Any. The main reason for this is to

keep consistent with rules for mapped services (all these rules are defined in page 6 of the

wizard). Access to firewall services from the local network is, under normal conditions,

allowed by the Firewall traffic rule but this is not always true.

ISS OrangeWeb Filter

If ISS OrangeWeb Filter is used (a module for classification of Websites), this rule is used to

allow communication with corresponding databases. Do not disable this traffic, otherwise

ISS OrangeWeb Filter might not function well. In figure

7.7

for instance, the firewall’s

traffic is narrowed only to specific services. Without this rule, traffic of ISS OrangeWeb

Filter would be blocked.

NAT

This rule sets that in all

packets routed

from the local network to the Internet, the source

(private) IP address will be replaced by the address of the Internet interface through

which the

packet

is sent from the firewall. Only specified services can be accessed by the

Internet connection (the wizard, page 4).

The Source item of this rule includes the Trusted / Local interfaces group and the Destina-

tion item includes group Internet interfaces. This makes the rule appliable to any network

configuration. It is not necessary to change this rule whenever a new segment of the LAN

is connected or Internet connection is changed.

By default, the Trusted / Local interfaces group includes also a Dial-In interface, i.e. all

RAS clients connecting to this server can access the Internet with the NAT technology.

Local Traffic

This rule allows all traffic between local hosts and the firewall (i.e. the computer where

WinRoute is installed). In this rule, items Source and Destination include the Trusted /

Local interfaces group (see chapter

5

) and the special group Firewall.

By default, the Trusted / Local interfaces group includes also a Dial-In interface. This

means that the Local Traffic rule also allows traffic between local hosts and RAS

clients/VPN clients connected to the server.

If creating of rules for Kerio VPN was set in the wizard (the wizard, page 5), the Local

Traffic rule includes also special address groups All VPN tunnels and All VPN clients. This

implies that, by default, the rule allows traffic between the local network (firewall), remote

networks connected via VPN tunnels and VPN clients connecting to the WinRoute’s VPN

server.

Note: Access to the WinRoute host is not limited as the wizard supposes that this host

belongs to the local network. Limitations can be done by modification of an appropriate

rule or by creating a new one. An inconvenient rule limiting access to the WinRoute

host might block remote administration or it might cause some Internet services to be

unavailable (all traffic between the LAN and the Internet passes through this host).