How traffic rules work
Watch the Configuring traffic rules video.
The traffic policy consists of rules ordered by their priority. The rules are processed from the top downwards and the first matched rule is applied. The order of the rules can be changed with the two arrow buttons on the right side of the window, or by dragging the rules within the list.
An implicit rule denying all traffic is shown at the end of the list. This rule cannot be removed. If there is no rule to allow particular network traffic, then the implicit rule will discard the packet.
To control user connections to WWW or FTP servers and filter contents, use the content filter available in Kerio Control for these purposes rather than traffic rules. Read more in the Configuring the Content Filter article.
Configuring traffic rules
If you do not have any traffic rules created in Kerio Control, use the configuration wizard (go to Traffic Rules and click More Actions → Configure in Wizard).
To create your own rules, look at the following examples:
Generic rule
In the default state, Kerio Control denies communication for all services. To create an allowing rule for a service, for example, to allow a user group to use SSH for access to servers in the Internet:
- Go to Traffic Rules in the administration interface.
- Click Add.
- In the Add New Rule dialog box, type a name for the rule (for example, Allow SSH to a group).
- As a rule type, select Generic.
![Image]()
- Click Next.
- Click Users and Groups.
- In the Select Items dialog box, double-click a group (SSH allowed in our case).
![Image]()
- Click Next.
- Select Interfaces.
- In the Select Items dialog box, select Internet Interfaces.
- Click Next.
- Click Services.
- In the Select Items dialog box, double-click SSH.
The rule allows your users to use SSH to access servers in the Internet.
Port mapping
To enable all services for Kerio Connect placed in your local network protected by Kerio Control, follow these step:
- In the administration interface, go to Traffic Rules.
- Click Add.
- In the Add New Rule wizard, type a name of the rule.
- Select Port mapping.
- In the Host field, type the hostname or IP address of the SMTP server placed in your local network.
- Next to the Service field, click Select.
- In the Select Items dialog, check the Kerio Connect services group (see figure Adding a service group).
![Adding a service group]( "Adding a service group")
- Click Finish.
- Move the rule to the top of the table of traffic rules.
Other examples
User accounts and groups in traffic rules
In traffic rules, source/destination can be specified also by user accounts and/or user groups. In the traffic policy, each user account represents the IP address of the host from which a user is connected. This means that the rule is applied to users authenticated at the firewall only (when the user logs out, the rule is not effective any longer):
Enabling certain users to access the Internet
In a private network and with the Internet connection performed through NAT, you can specify which users can access the Internet in the Source item in the NAT rule.
Such rules enable the specified users to connect to the Internet if they authenticate. They need to open the Kerio Control interface’s login page manually and authenticate.
With the rule defined, all methods of automatic authentication are ineffective (i.e. redirecting to the login page, NTLM authentication and automatic authentication from defined hosts).
Automatic authentication (redirection to the login page) is performed when the connection to the Internet is established. This NAT rule blocks any connection unless the user is authenticated.
Enabling automatic authentication
The automatic user authentication issue can be solved as follows:
- Add a rule allowing an unlimited access to the HTTP service and place it before the NAT rule.
![These traffic rules enable automatic redirection to the
login page]( "These traffic rules enable automatic redirection to the
login page")
- In Content Rules, allow specific users to access any web site and deny any access to other users.
![These URL rules enable specified users to access any Web
site]( "These URL rules enable specified users to access any Web
site")
Users who are not yet authenticated and attempt to open a web site are automatically redirected to the authentication page (or authenticated by NTLM, or logged in from the corresponding host). After a successful authentication, users specified in the NAT rule (see figure These traffic rules enable automatic redirection to the login page) will be allowed to access other Internet services. Users not specified in the rules will be disallowed to access any web site or/and other Internet services.
In this example, it is assumed that client hosts use the Kerio Control DNS Forwarder or local DNS server (traffic must be allowed for the DNS server). If the client stations use a DNS server in the Internet, you must include the DNS service in the rule which allows unlimited Internet access.
Demilitarized zone (DMZ)
This topic is covered in a special article: Configuring demilitarized zone (DMZ).
Policy routing
This topic is covered in a special article: Configuring policy routing.
Source : http://kb.kerio.com/product/kerio-control/security/configuring-traffic-rules-1312.html