Documentation for Kerio WinRoute

Definition of Custom Traffic Rules

To fine-tune the WinRoute settings, you can define your own rules or edit the rules generated by the wizard. Advanced administrators can create all the rules according to their specific needs without using the wizard.

Note: If you would like to control user connections to WWW or FTP servers, use the special tools available in WinRoute (see chapter Content Filtering) rather than traffic rules.

How traffic rules work

The traffic policy consists of rules ordered by their priority. When the rules are applied they are processed from the top downwards and the first suitable rule found is applied. The order of the rules can be changed with the two arrow buttons on the right side of the window.

An explicit rule denying all traffic is shown at the end of the list. This rule cannot be edited or removed. If there is no rule to allow particular network traffic, then the catch all deny rule will discard the packet.

Rule definitions

The traffic rules are displayed in the form of a table, where each rule is represented by a row and rule properties (name, conditions, actions for details see below) are described in the columns. Left-click in a selected field of the table (or right-click a rule and choose the Edit... option in the context menu) to open a dialog where the selected item can be edited.

To define new rules press the Add button. Move the new rule within the list using the arrow buttons.

Name

Name of the rule. It should be brief and unique. More detailed information can be included in the Description entry.

Matching fields next to names can be either ticked to activate or unticked to disable. If a particular field is empty, WinRoute will ignore the rule. This means that you need not remove and later redefine these rules when troubleshooting a rule.

The background color of each row can be defined as well. To set the color of the list background right click in a cell belonging to the desired row in the Name column and select Edit name and color.

Any text describing the particular rule may be used to specify the Description entry (up to 1024 characters). Specification of this entry is optional.

If the description is specified, the bubble symbol is displayed in the Name column next to the rule name. Place the mouse pointer over the bubble to view the rule description.

It is recommended to describe all created rules for better reference (automatic descriptions are provided for rules created by the wizard).

Note: Descriptions and colors do not affect rule functionality.

Source and Destination

Definition of the source or destination of the traffic defined by the rule.

A new source or destination item can be defined after clicking the Add button:

• Host the host IP address or name (e.g. 192.168.1.1 or www.company.com)

  Warning: If either the source or the destination computer is specified by DNS name, WinRoute tries to identify its IP address while processing a corresponding traffic rule.

  If no corresponding record is found in the cache, the DNS forwarder forwards the query to the Internet. If the connection is realized by a dial-up which is currently hung-up, the query will be sent after the line is dialed. The corresponding rule is disabled unless IP address is resolved from the DNS name. Under certain circumstances denied traffic can be let through while the denial rule is disabled (such connection will be closed immediately when the rule is enabled again).

  For the reasons mentioned above we recommend you to specify source and destination computer only through IP addresses in case that you are connected to the Internet through a dial-up!

• Network subnet defined with network address and mask

  (e.g. 192.168.1.0/255.255.255.0)

• IP range e.g. 192.168.1.10192.168.1.20

• Subnet with mask subnet defined by network address and mask (e.g. 192.168.1.0/255.255.255.0)

• Network connected to interface This represents all IP addresses which reside behind the particular interface.

• VPN virtual private network (created with the WinRoute VPN solution). This option can be used to add the following items:

  

  • Incoming VPN connections (VPN clients) all VPN clients connected to the WinRoute VPN server via the Kerio VPN Client

  • Incoming VPN connections (VPN tunnel) network connected to this server from a remote server via the VPN tunnel

  For detailed description on the WinRoute VPN solution refer to chapter Kerio VPN.

• Users users or groups that can be chosen in a special dialog

  

  The Authenticated users option makes the rule valid for all users authenticated to the firewall (see chapter Firewall User Authentication).

  In the traffic policy, each user/group or host is represented by IP address from which it/he/she is connected (for more details about user authentication see chapter Firewall User Authentication).

  Notes:

  1. If you require authentication for any rule, it is necessary to ensure that a rule exists to allow users to connect to the firewall authentication page. This service uses TCP port 4080 for HTTP and 4081 for HTTPS.

  2. If you use HTTP, WinRoute can automate user re-direction to the authentication page (for details see chapter URL Rules). Other services do not allow this feature. Users should be informed that they are required to pass through the authentication page prior to accessing demanded services (see chapters Web Interface and User Authentication and Firewall User Authentication).

• Firewall a special address group including all interfaces of the host where the firewall is running. This option can be used for example to permit traffic between the local network and the WinRoute host.

Use the Any button to replace all defined items with the Any item (this item is also used by default for all new rules). This item will be removed automatically when at least one new item is added.

Use the Remove button to remove all items defined (the Nothing value will be displayed in the item list). Whenever at least one service is added, the Nothing value will be removed automatically. If the Nothing value is kept for the Source or/and Destination item, a corresponding rule is disabled.

The Nothing value is important for removal of network interfaces (see chapter Interfaces). The Nothing value is automatically used for all Source or/and Destination items of rules where a removed interface has been used. Thus, all these rules are disabled. Inserting the Nothing value manually is not meaningful a checking box in the Name column can be used instead.

Note: Removed interfaces cannot be replaced by the Any value, otherwise the traffic policy might be changed fundamentally (e.g. an undesirable traffic might be allowed).

Service

Definition of service(s) on which the traffic rule will be applied. Any number of services defined either in Configurations / Definitions / Services or using protocol and port number (or by port range a dash is used to specify the range) can be included in the list.

Click Any to replace all items defined by the Any value (this value is also used by default during creation of new rules). Whenever at least one new service is added, the Any value removed automatically.

Press Remove to delete all items defined (the Nothing value will be displayed in the item list). Whenever at least one new service is added, the Nothing value is removed automatically. If the Nothing value is kept in the Service column, the rule is disabled.

The Nothing value is important for removal of services (see chapter Services). The Nothing value is automatically used for the Service item of rules where a removed service has been used. Thus, all these rules are disabled. Inserting the Nothing value manually is not meaningful a checking box in the Name column can be used instead.

Notes:

1. Removed services cannot be replaced by the Any value, otherwise the traffic policy might be changed fundamentally (e.g. an undesirable traffic might be allowed).

2. If the protocol inspector of the particular protocol is used for the service definition, this module will be applied on the traffic meeting this rule. If the rule can be applied on all services (the Any button), all necessary protocol inspectors will be applied automatically.

   If desired, you can define a rule without using protocol inspectors (for details see chapter  Services) in order to bypass the protocol inspector for particular IP hosts.

Action

Action that will be taken by WinRoute when a given packet has passed all the conditions for the rule (the conditions are defined by the Source, Destination and Service items). The following actions can be taken:

• Permit traffic will be allowed by the firewall

• Deny client will be informed that access to the address or port is denied. The client will be warned promptly, however, it is informed that the traffic is blocked by firewall.

• Drop all packets that fit this rule will be dropped by firewall. The client will not be sent any notification and will consider the action as a network outage. The action is not repeated immediately by the client (it expects a  response and tries to connect later, etc.).

Note: It is recommended to use the Deny option to limit the Internet access for local users and the Drop option to block access from the Internet.

Log

The following actions can be taken to log traffic:

• Log matching packets all packets matching with rule (permitted, denied or dropped, according to the rule definition) will be logged in the Filter log.

• Log matching connections all connections matching this rule will be logged in the Connection log (only for permit rules). Individual packets included in these connections will not be logged.

  Note: Connections cannot be logged for deny nor drop rules.

Translation

Source or/and destination IP address translation.

The source IP address translation can be also called IP masquerading or Internet connection sharing. The source (private) IP address is substituted by the IP address of the interface connected to the Internet in packets routed from the local network to the Internet. Therefore, the entire local network can access the Internet transparently, but it is externally considered as one host.

IP translation is defined as follows:

• No Translation source address is not modified. This option is set by default and it is not displayed within traffic rules.

• Translate to IP address of outgoing interface WinRoute will translate the source address of an outgoing packet to the IP address of the network interface from where the packet will be forwarded.

• Translate to IP address of interface selection of an interface. IP address of the appropriate packet will be translated to the primary address of this interface. This option is relevant if the return path should be different than the upstream path.

• Translate to IP address an IP address to which the source address will be translated. (i.e. secondary IP address of an interface connected to the Internet). If you only know DNS name of your host, use the Resolve button to translate the DNS name to IP address.

  Note: The IP address must be assigned to an interface (bound by TCP/IP stack) of the WinRoute host!

Destination address translation (also called port mapping) is used to allow access to services hosted behind the firewall. All incoming packets that meet defined rules are re-directed to a defined host (destination address is changed). From the client's point of view, the service is running on the IP address of the Firewall.

Options for destination NAT (port mapping):

• No Translation destination address will not be modified.

• Translate to IP address that will substitute the packet's destination address. This address also represents the IP address of the host on which the service is actually running.

  The Translate to entry can be also specified by DNS name of the destination computer. In such cases WinRoute finds a corresponding IP address using a DNS query.

  Warning: We recommend you not to use names of computers which are not recorded in the local DNS since rule is not applied until a corresponding IP address is found. This might cause temporary malfunction of the mapped service.

• Translate port to during the process of IP translation you can also substitute the port of the appropriate service. This means that the service can run at a port that is different from the port from which it is mapped.

  Note: This option cannot be used unless only one service is defined in the Service entry within the appropriate traffic rule and this service uses only one port or port range.

The following columns are hidden by the default settings of the Traffic Policy dialog:

Valid on

Time interval within which the rule will be valid. Apart from this interval WinRoute ignores the rule.

The special always option can be used to disable the time limitation (it is not displayed in the Traffic Policy dialog).

Protocol Inspector

Selection of a protocol inspector that will be applied on all traffic meeting the rule. You can choose from the following options:

• Default all necessary protocol inspectors (or inspectors of the services listed in the Service entry) will be applied on traffic meeting this rule.

• None no inspector will be applied (regardless of how services used in the Service item are defined).

• Other selection of a particular inspector which will be used on traffic meeting this rule (all WinRoute's protocol inspectors are available).

  Warning: Do not use this option unless the appropriate traffic rule defines a protocol belonging to the inspector. Functionality of the service might be affected by using an inappropriate inspector.

Note: Use the Default option for the Protocol Inspector item if a particular service (see the Service item) is used in the rule definition (the protocol inspector is included in the service definition).