Firewall: network rules - Kaspersky Lab

Kaspersky PURE 2.0
Firewall:
network rules

Kaspersky PURE 2.0
Content
Firewall rules .............................................................................................................................. 2
Packet rules ............................................................................................................................ 2
Creating a packet rule ......................................................................................................... 2
Editing packet rules ............................................................................................................. 7
Application rules ..................................................................................................................... 9
Creating application rules .................................................................................................... 9
Editing an application rule ................................................................................................. 13
Configuring network service .......................................................................................... 15
Allocating range of IP-addresses ................................................................................... 17
Extending the range of IP addresses ............................................................................. 20
Changing the rule for a group of applications ................................................................ 21
Changing the rule priority .............................................................................................. 25
Configuring notifications of changes in the network .............................................................. 26
Advanced Firewall settings ................................................................................................... 28
Firewall working features ...................................................................................................... 30
1 | 30

Kaspersky PURE 2.0
Firewall rules
There are two Firewall rule types, used to control network connections:
► Packet rules are used to create general restrictions on network activity, regardless
of the applications installed. Example: if you create a packet rule that blocks inbound
connections on port 21, no applications that use that port (an ftp server, for example)
will be accessible from the outside.
► Rules for applications are used to create restrictions on network activity for specific
applications. Example: If connections on port 80 are blocked for each application,
you can create a rule that allows connections on that port for Firefox only.
Packet rules have higher priority than application rules. If both packet rules and rules for
applications are applied to the same type of network activity, this network activity is processed
using the packet rules.
Packet rules
Creating a packet rule
All network connections on your computer are monitored by Firewall. Firewall assigns a
specific status to each connection and applies various rules for filtering of network activity
depending on that status, thus, it allows or blocks a network activity.
Packet rules are used in order to restrict packets transferring regardless applications.
You can specify an action performed by Firewall if it detects the network activity:
► Allow
► Block
► By application rules. The packet rule is not used, but the rule for the application is
used.
The Allow or Block rules can be logged. In order to do this, check the Log events box in the
Action section.
To create a packet rule, for example, to allow remote access to your computer desktop, please
do the following:
1. In the right part of the Firewall settings window in the Network rules section, click the
Settings button.
2 | 30

Kaspersky PURE 2.0
2. In the Firewall window go to the Packet rules tab.
3. Click the Add button. In the Network rule window that opens specify the settings for a
rule.
3 | 30

Kaspersky PURE 2.0
4. In the Network rule window in the Action section select the Allow variant.
5. In the Name section click an arrow next to the input field and select the Remote
Desktop item.
4 | 30

Kaspersky PURE 2.0
6. In the Address section select Any address.
7. Check the Log events box if you want to log actions performed according to the rule.
8. In the Network rule window click the OK button. The created rule appears in the list of
packet rules on the Packet rule tab.
5 | 30

Kaspersky PURE 2.0
9. In the Firewall window click the OK button.
10. In the Settings window click the Apply button.
Now any user has remote access to your desktop.
6 | 30

Kaspersky PURE 2.0
Editing packet rules
All packet rules (default or created by the user) can be edited. For example, if you want to
block remote access to your computer desktop, then edit the Remote Desktop packet rule:
1. In the right part of the Settings window of the Firewall component in the Network rules
section click the Settings button.
2. In the Firewall window go to the Packet rules tab.
3. In the list of packet rules select the Remote Desktop rule.
7 | 30

Kaspersky PURE 2.0
4. Click the Edit button. In the Network rule window that opens you can edit the settings
of the selected rule.
5. In the Action section change the Allow variant to Block.
6. In the Address section select the Subnet address variant and choose the Public
networks item from the displayed list.
8 | 30

Kaspersky PURE 2.0
7. In the Network rule window click the OK button.
8. The made changes are displayed in the Firewall window on the Packet rules tab in the
list of packet rules: for the Remote Desktop rule the network type in the Address
column will change to Public networks, and an allowing icon in the Permission column
will change to a blocking icon.
9. In the Firewall window click the OK button.
10. In the Settings window click the Apply button.
Now only users of local and trusted networks have access to your computer desktop
Application rules
Creating application rules
You can create applications 1 rules for more subtle filtering of the network activity, edit rules for
a group of applications or for an individual application in a group.
Custom rules for individual applications have a higher priority than the rules inherited from a
group.
When creating an application rule, you can define an action to be performed by Firewall upon
detection of this type of the network activity when working with an application:
► Allow;
► Block;
► Prompt (user) for action.
An allowing or blocking action of a rule can be displayed in a report, for this during the rule
creation in the Action section, check the Log events box.
1 Application rules monitor connections only by TCP and UDP protocols.
9 | 30

Kaspersky PURE 2.0
To create a rule for an individual application, for example a rule blocking the QIP internet pager
any network activity outside your local and trusted networks, perform the following actions:
1. In the right part of the Settings window in the Network rules section click the Settings
button.
2. In the Firewall window on the Application rules tab select QIP 2012.
3. Click the Edit button.
4. In the Application rules window that opens, go to the Network rules tab.
5. At the top of the window click the Add button.
10 | 3 0

Kaspersky PURE 2.0
6. In the Network rule window perform the following actions:
► In the Action section select the Block action;
► In the Name section select the Any network activity service;
► In the Address section select the Subnet address variant and in the displayed list
select Public networks;
► Check the Log events box if you want to log actions performed according to the
rule;
► Click the OK button.
11 | 3 0

Kaspersky PURE 2.0
7. The created rule will appear in the Application rules window on the Network rules tab
in the list of rules for QIP 2012.
12 | 3 0

Kaspersky PURE 2.0
8. Click the OK button in the Application rules window.
9. In the Firewall window click the OK button.
10. In the Settings window click the Apply button
Editing an application rule
For the default network rules created by Kaspersky PURE you can edit only an action (such
rules cannot be deleted). For this, perform the following actions:
1. In the right part of the Settings window in the Network rules section click the Settings
button.
2. In the Firewall window on the Application rules tab select a required application.
3. Click the Edit button. In the Application rules window that opens, go to the Network
rules tab.
4. From the list of rules for an application, select a rule whose action you want to change.
5. In the Permission column for the selected rule right-click the action icon.
6. From the context menu select the required action:
► Allow
► Block
► Prompt for action
7. In the Application rules window click the OK button.
8. In the Firewall window click the OK button.
9. In the Settings window click the Apply button.
13 | 3 0

Kaspersky PURE 2.0
For a network rule created by the user you can edit all earlier created settings. For this,
perform the following actions:
1. In the right part of the Settings window in the Network rules section click the Settings
button.
2. In the Firewall window on the Application rules tab select an application whose rule
you want to edit.
3. Click the Edit button. In the Application rules window that opens, go to the Network
rules tab.
4. From the list of rules select a rule you want to edit.
5. Click the Edit button.
6. In the Network rule window change the required settings.
14 | 3 0

Kaspersky PURE 2.0
7. In the Network rule window click the OK button.
8. In the Application rules window click the OK button.
9. In the Firewall window click the OK button.
10. In the Settings window click the Apply button.
Configuring network service
When creating any network rule you should specify the network service. Settings
characterizing the activity of the network for which a rule is created are described by the
network service.
You can select type of the network activity from the list or create a new type.
Network service includes the following parameters:
► Name. Preferably use the names which would explicitly describe the rule. For
example, DNS over TCP.
15 | 3 0

Kaspersky PURE 2.0
► Protocol. Firewall restricts connections via TCP, UDP, ICMP, ICMPv6, IGMP and
GRE 2 protocols. If protocol ICMP or ICMPv6 was selected as the protocol, you can
specify the type and the code of the ICMP packet.
► Direction. Firewall controls connections with the following directions:
► Inbound. A rule is applied to data packets received by your computer.
2 TCP, UDP, ICMP, ICMPv6, IGMP, GRE are protocols (sets of rules) of the data transfer in the network.
ICMP-packet —is a packet which contains the error message about the error or any other exceptional situation
which occurred during the data transfer. The fields code and type of the ICMP-packet correspondingly contain
the type and code of the occurred situation.
16 | 3 0

Kaspersky PURE 2.0
► Inbound (stream). The rule is for network connections created from another
computer.
► Inbound/Outbound. The rule is for inbound and outbound data packets and data
streams regardless the direction.
► Outbound. A rule is applied to data packets transferred from your computer.
► Outbound (stream). The rule is only for network connections created by your
computer.
► Remote and Local ports. You can specify ports which are used by your and remote
computers for TCP and UDP protocols. These ports will be controlled by Firewall.
Allocating range of IP-addresses
While creating the rule's conditions you can specify the network service and the network
address. You can use an IP address as the network address or specify the network status. In
the latter case the addresses will be copied from all networks that are connected and have the
specified status at this moment.
You can select one of the following statuses:
17 | 3 0

Kaspersky PURE 2.0
► Any address – the rule will be applied to any IP address;
► Subnetwork addresses with status – the rule will be applied to IP addresses of all
networks that are connected and have the specified status at the moment:
► Trusted networks
► Local networks
► Public networks
► Addresses from group – the rule will be applied to IP addresses included into the
specified range. Select one of the existing groups of addresses. If no range of IP
addresses in any group satisfies you, create a new one.
18 | 3 0

Kaspersky PURE 2.0
For this perform the following steps:
1. At the bottom part of the section click on the Add link.
2. In the IP address or DNS name window specify the addresses from the group.
3. Click the OK button.
4. In the Network rule window click the OK button.
A method to allocate IP-addresses using Classless Inter-Domain Routing (CIDR) 3 has been
implemented in Kaspersky PURE.
CIDR uses Variable Length Subnet Mask (VLSM) whereas in Class Inter-Domain Routing
the mask length is strictly set by 0, 1, 2 or 3 bytes.
For example, let’s take a record of the range of IP-addresses as 10.96.0.0/11. In this case the
subnet mask will look as 11111111 11100000 00000000 00000000, or as 255.224.0.0 in a
decimal view. 11 bits of the IP-address are allocated to the number of network; the other 21
3 CIDR (Classless InterDomain Routing, CIDR) is the method of IP-addressing which allows managing the
range of IP-address flexibly, without rigid frames of the Class Inter-Domain Routing. CIDR allows using the end
resource of IP-addresses economically, thus enhancing efficiency of KSOS 2.
19 | 3 0

Kaspersky PURE 2.0
bits (32-11= 21) of the full address are allocated to the local address in the network. To sum
up, 10.96.0.0/11 is a range of addresses from 10.96.0.1 to 10.127.255.255.
Remember, when defining CIDR-addressing in the networks of the IP-protocol version 4 (IPv4)
in any case the rule will be applied to the whole network.
To convert IP-addresses into CIDR Kaspersky Lab experts recommend using any web site
which provides free service of converting IP-addresses to CIDR-addressing (for example, the
web site http://ip2cidr.com/).
Extending the range of IP addresses
Each network matches one or more ranges of IP address. If you connect to a network, access
to subnetwork of which is performed via a router, you can manually add subnetworks
accessible through it.
Example: You are connecting to the network in an office of your company and wish to use the
same filtering rules for the office where you are connected directly and for the offices
accessible over the network.
Obtain network address ranges for those offices from the network administrator and add them.
To extend the range of network address, please perform the following:
1. In the right part of the Firewall settings window in the Networks section select an active
connection and click the Edit button.
20 | 3 0

Kaspersky PURE 2.0
2. In the Network connection window on the Properties tab in the Additional
subnetworks section click the Add link.
3. In the IP address window specify an IP address or address masks.
4. Click the OK button.
5. In the Network connection window click the OK button.
6. In the Settings window click the Apply button.
Changing the rule for a group of applications
Firewall analyzes the activity of each application running on your computer. Depending on the
threat rating, every application is included to one of the following groups:
► Trusted 4 . Trusted applications are applications with digital signatures of trusted
vendors and applications signatures of those are included to the trusted applications
database. Activities of such applications are monitored by Proactive Defense and
File Anti-Virus.
4 Applications of that group are allowed to perform any network activity irrespectively of the network status.
21 | 3 0

Kaspersky PURE 2.0
► Low Restricted 5 . Low restricted applications are applications which are without
digital signatures of trusted vendors and which are not included to the trusted
applications database. Nevertheless, the low risk rating is assigned to such
applications.
► High Restricted 6 . High restricted applications are applications without digital
signatures and which are not included to the trusted applications database. The high
risk rating is assigned to such applications.
► Untrusted 7 . Untrusted applications are applications without digital signatures and
which are not included to the trusted applications database. Very high risk rating is
assigned to such applications.
You can modify rules for a whole group.
Custom rules for individual applications have a higher priority than the rules inherited
from a group. If you create an allowed rule for a whole group of applications and a prohibited
rule for a certain application from this group, then any network activity of a certain application
will be restricted according to a rule for this application, because it has a higher priority level.
In order to change rules for a group of applications, for example, if you want that low restricted
programs would have unrestricted rights to the network activity within the local networks,
perform the following actions:
1. In the right part of the settings window of the Firewall component in the Network rules
section click the Settings button.
5 Applications of that group are allowed to perform any network activity in non-interactive mode. If you are using
the interactive mode, a notification will be displayed on the screen using which you can allow or block a
connection, or create an application rule using the Wizard.
6 Applications of that group are not allowed to perform network activity in non-interactive mode. If you are using
the interactive mode, a notification will be displayed on the screen using which you can allow or block a
connection, or create an application rule using the Wizard.
7 Any network activity is prohibited for the applications of that group.
22 | 3 0

Kaspersky PURE 2.0
2. In the Firewall window go to the Application rules tab.
3. Select the Low restricted group of applications.
4. Click the Edit button.
23 | 3 0

Kaspersky PURE 2.0
5. In the Group rules window go to the Network rules tab and click the Add button.
6. In the Network rule window in the Action section select Allow, and in the Name
section select Any network activity and click the OK button.
24 | 3 0

Kaspersky PURE 2.0
7. In the Network rule window click the OK button.
8. In the Firewall window click the OK button.
9. In the Settings window click the OK button.
Now all applications of the Low Restricted group have unrestricted right to the network
activity.
Changing the rule priority
The priority of a rule is determined by its position on the list of rules. The first rule on the list
has the highest priority. Each packet rule created manually will be added to the end of the list
of packet rules.
Application groups are integrated by the name of the program and rule priority applies to a
definite group only.
Manually created rules for applications have a higher priority, than the rules inherited from the
group.
To change the rule priority, please perform the following actions:
1. In the right part of the settings window of the Firewall component in the Network rules
section click the Settings button.
2. In the Firewall window go to the Application rules tab select the required application.
3. Click the Edit button.
4. The Application rules window opens. Go to the Network rules tab.
5. Select a rule and move it to the required place in the list by clicking the Move up and
Move down button.
25 | 3 0

Kaspersky PURE 2.0
6. In the Application rules window click the OK button.
7. In the Firewall window click the OK button.
8. In the Settings window click the Apply button.
Configuring notifications of changes in the network
Network connection settings can be changed during the work. You can receive notifications of
the following modifications in the settings:
► When network connection is established.
► When the correspondence between MAC address and IP address is changed. The
notification will appear if IP address of a network computer was changed.
► When new MAC address appears. The notification appears if a new computer was
added to the network.
Pay attention, that notifications about changes in the work can be configured only for the
networks with the status Local or Trusted network.
26 | 3 0

Kaspersky PURE 2.0
To enable notification about changes to network connection settings, please perform the
following:
1. In the right part of the Firewall settings window in the Networks section select an active
connection and click the Edit button.
2. In the Network connection window go to the Additional tab.
3. Check the boxes next to the events whose notifications you want to receive.
27 | 3 0

Kaspersky PURE 2.0
4. In the Network connection window click the OK button.
5. In the Settings window click the Apply button.
Advanced Firewall settings
You can specify additional settings of the Firewall operation:
► Allow active FTP mode. Active mode suggests that to ensure connection between
the server on the client computer a port to which the server will connect will be
opened on the client computer (unlike the passive mode when the client connects to
the server). The mode allows to control which exactly port will be opened. The
mechanism works even if a blocking rule was created. By default, active FTP mode
is allowed.
► Block connections if there is no possibility to prompt for action (application
interface is not loaded). This setting allows to avoid disruption of the Firewall
operation when the interface of Kaspersky PURE is not loaded. This is the default
action.
► Do not disable Firewall until the system totally stops. This setting allows to avoid
disruption of the Firewall operation until the system is completely stopped. This is
the default action.
By default all settings are enabled.
To modify advanced Firewall settings, please perform the following:
1. In the right part of the Firewall settings window in the Network rules section click the
Settings button.
28 | 3 0

Kaspersky PURE 2.0
2. In the Firewall window go to the Packet rules tab and click the Additional button.
29 | 3 0

Kaspersky PURE 2.0
3. In the Additional window check or uncheck the boxes next to the required settings and
click the OK button.
4. In the Firewall window click the OK button.
5. In the Settings window click the Apply button.
Firewall working features
When working with the Firewall component you should remember about the following
peculiarities:
► Firewall rules do not influence Network Attack Blocker;
For the zone Local network ICMP packages are always allowed.
30 | 3 0