Richard's Firewall Rule Set - getting it to work (0/1)

I use Kerio 2.1.5 Firewall & i'm having some difficulty getting Richard Jones rule set to work properly

I'm attaching some jpg's of rule sets so far.

My ISP uses dynamic DNS for broadband ADSL

the folling are mockups of screen prints

pointing the browser to http://10.1.1.0/ gets to the speedstream 4200

Speedstream Router Management Interface

Speedstream Optusnet Broadband System Summary System Type: SpeedStream 4200-Series

[ianSnip] [ian also snipping MAC addresses]

Point to Point Connection Summary: PPPoE 8/35 58.107.93.177 AccConn: rdl21.ba

Current Log Entries

0000-00-00 00:00:01 E |System |Current Mode: Bridge-Router 0000-00-00 00:00:01 E |CWMP |CWMP agent cannot reach the ACS named Trying again in 10 seconds 0000-00-00 00:00:01 E |DSL |Boost DSP 0000-00-00 00:00:01 E |DSL |DataPump Version - 04.02.01.00 0000-00-00 00:00:02 E |DSL |State: WAITING 0000-00-00 00:00:03 E |USB |Link Up 0000-00-00 00:00:03 E |DHCP Server |Address 10.1.1.3 given out to 00:13:a3:61:60:f5 0000-00-00 00:00:03 E |DHCP Server |1 Address(es) leased 0000-00-00 00:00:08 E |DSL |State: INITIALIZING 0000-00-00 00:00:18 E |DHCP Server |Address 10.1.1.3 given out to 00:13:a3:61:60:f5 0000-00-00 00:00:18 E |DHCP Server |1 Address(es) leased 0000-00-00 00:00:25 E |DSL |State: WAITING 0000-00-00 00:00:31 E |DSL |State: INITIALIZING 0000-00-00 00:00:33 E |DHCP Server |Address 10.1.1.3 given out to 00:13:a3:61:60:f5 0000-00-00 00:00:33 E |DHCP Server |1 Address(es) leased 0000-00-00 00:00:37 E |DSL |State: WAITING 0000-00-00 00:00:43 E |DSL |State: INITIALIZING 0000-00-00 00:00:48 E |DHCP Server |Address 10.1.1.3 given out to 00:13:a3:61:60:f5 0000-00-00 00:00:48 E |DHCP Server |1 Address(es) leased 0000-00-00 00:00:56 E |DSL |HYBRID 1 0000-00-00 00:00:56 E |DSL |Link up 1 US 759 DS 1434 (INTL:ADSL2) 0000-00-00 00:00:56 E |PPPoE |oe00: tx PADI, id: 0000, ac: (NULL), sn: (NULL), MAC: [ianSnip] 0000-00-00 00:00:56 E |PPPoE |Sending PADT/LCP Terminate for Session ID = F8BD 0000-00-00 00:00:56 E |PPPoE |oe00: rx AC Name: rdl21.ba 0000-00-00 00:00:56 E |PPPoE |oe00: tx PADR, id: 0000, ac: (NULL), sn: (NULL), MAC: [ianSnip] 0000-00-00 00:00:56 E |PPPoE |oe00: rx PADS id: F921 MAC [ianSnip] 0000-00-00 00:00:59 E |PPP |LCP neg PAP 0000-00-00 00:00:59 E |PPP |LCP up 0000-00-00 00:00:59 E |PPP |IPCP nak option: 3 0000-00-00 00:00:59 E |PPP |IPCP nak option: 129 0000-00-00 00:00:59 E |PPP |IPCP nak option: 131 0000-00-00 00:00:59 E |PPP |IPCP up ip: 58.107.93.177, gw: 198.142.130.18 0000-00-00 00:00:59 E |PPP |IPCP dns: 211.29.132.12, 198.142.0.51 0000-00-00 00:01:04 E |DHCP Server |Address 10.1.1.3 given out to 00:13:a3:61:60:f5 0000-00-00 00:01:04 E |DHCP Server |1 Address(es) leased 0000-00-00 00:01:05 E |DHCP Server |Address 58.107.93.177 given out to 00:13:a3:61:60:f5 0000-00-00 00:01:05 E |DHCP Server |0 Address(es) leased 0000-00-00 00:01:21 E |CWMP |CWMP agent cannot reach the ACS named Trying again in 1 minute 0000-00-00 00:02:05 E |DHCP Server |Address 58.107.93.177 given out to 00:13:a3:61:60:f5 0000-00-00 00:02:05 E |DHCP Server |0 Address(es) leased 0000-00-00 00:03:05 E |DHCP Server |Address 58.107.93.177 given out to 00:13:a3:61:60:f5 0000-00-00 00:03:05 E |DHCP Server |0 Address(es) leased 0000-00-00 00:04:04 E |DHCP Server |Address 58.107.93.177 given out to 00:13:a3:61:60:f5 0000-00-00 00:04:04 E |DHCP Server |0 Address(es) leased 0000-00-00 00:05:04 E |DHCP Server |Address 58.107.93.177 given out to 00:13:a3:61:60:f5 0000-00-00 00:05:04 E |DHCP Server |0 Address(es) leased 0000-00-00 00:06:04 E |DHCP Server |Address 58.107.93.177 given out to 00:13:a3:61:60:f5 0000-00-00 00:06:04 E |DHCP Server |0 Address(es) leased 0000-00-00 00:07:04 E |DHCP Server |Address 58.107.93.177 given out to 00:13:a3:61:60:f5 0000-00-00 00:07:04 E |DHCP Server |0 Address(es) leased 0000-00-00 00:08:04 E |DHCP Server |Address 58.107.93.177 given out to 00:13:a3:61:60:f5 0000-00-00 00:08:04 E |DHCP Server |0 Address(es) leased 0000-00-00 00:09:04 E |DHCP Server |Address 58.107.93.177 given out to 00:13:a3:61:60:f5 0000-00-00 00:09:04 E |DHCP Server |0 Address(es) leased 0000-00-00 00:10:03 E |DHCP Server |Address 58.107.93.177 given out to 00:13:a3:61:60:f5 0000-00-00 00:10:03 E |DHCP Server |0 Address(es) leased 0000-00-00 00:11:03 E |DHCP Server |Address 58.107.93.177 given out to 00:13:a3:61:60:f5 0000-00-00 00:11:03 E |DHCP Server |0 Address(es) leased 0000-00-00 00:12:03 E |DHCP Server |Address 58.107.93.177 given out to 00:13:a3:61:60:f5 0000-00-00 00:12:03 E |DHCP Server |0 Address(es) leased 0000-00-00 00:13:03 E |DHCP Server |Address 58.107.93.177 given out to 00:13:a3:61:60:f5 0000-00-00 00:13:03 E |DHCP Server |0 Address(es) leased 0000-00-00 00:14:02 E |DHCP Server |Address 58.107.93.177 given out to 00:13:a3:61:60:f5 0000-00-00 00:14:02 E |DHCP Server |0 Address(es) leased 0000-00-00 00:15:02 E |DHCP Server |Address 58.107.93.177 given out to 00:13:a3:61:60:f5 0000-00-00 00:15:02 E |DHCP Server |0 Address(es) leased 0000-00-00 00:16:02 E |DHCP Server |Address 58.107.93.177 given out to 00:13:a3:61:60:f5 0000-00-00 00:16:02 E |DHCP Server |0 Address(es) leased 0000-00-00 00:17:03 E |DHCP Server |Address 58.107.93.177 given out to 00:13:a3:61:60:f5 0000-00-00 00:17:03 E |DHCP Server |0 Address(es) leased 0000-00-00 00:18:03 E |DHCP Server |Address 58.107.93.177 given out to 00:13:a3:61:60:f5 0000-00-00 00:18:03 E |DHCP Server |0 Address(es) leased 0000-00-00 00:19:03 E |DHCP Server |Address 58.107.93.177 given out to 00:13:a3:61:60:f5 0000-00-00 00:19:03 E |DHCP Server |0 Address(es) leased 0000-00-00 00:20:03 E |DHCP Server |Address 58.107.93.177 given out to 00:13:a3:61:60:f5 0000-00-00 00:20:03 E |DHCP Server |0 Address(es) leased 0000-00-00 00:21:01 E |DHCP Server |Address 58.107.93.177 given out to 00:13:a3:61:60:f5 0000-00-00 00:21:01 E |DHCP Server |0 Address(es) leased 0000-00-00 00:22:02 E |DHCP Server |Address 58.107.93.177 given out to 00:13:a3:61:60:f5 0000-00-00 00:22:02 E |DHCP Server |0 Address(es) leased 0000-00-00 00:23:02 E |DHCP Server |Address 58.107.93.177 given out to 00:13:a3:61:60:f5 0000-00-00 00:23:02 E |DHCP Server |0 Address(es) leased 0000-00-00 00:24:02 E |DHCP Server |Address 58.107.93.177 given out to 00:13:a3:61:60:f5 0000-00-00 00:24:02 E |DHCP Server |0 Address(es) leased 0000-00-00 00:25:01 E |DHCP Server |Address 58.107.93.177 given out to 00:13:a3:61:60:f5 0000-00-00 00:25:01 E |DHCP Server |0 Address(es) leased 0000-00-00 00:26:01 E |DHCP Server |Address 58.107.93.177 given out to 00:13:a3:61:60:f5 [ ianSnip similar lines ]

Log Display Options Display All Log Entries System Firewall ADS Network ATM DSL Ethernet USB Firmware Config DHCP Server DHCP Client PPP PPPoE UPnP Diags NAT Owner DDNS Client User Content Filter ARP Telnet Admin Time Client CWMP Agent Internet Gateway Device

Routes

Current Routing Table Destination Netmask Gateway Flags Metric Interface

127.0.0.0 255.0.0.0 127.0.0.1 1 lo0 10.1.1.0 255.255.255.0 10.1.1.1 1 LAN Default Gateway 198.142.130.18 5 PPPoE 8/35 58.107.93.177 255.255.255.255 58.107.93.177 1 LAN Flags legend: (R)ip route, (S)tatic

SETUP | ppp

ISP Password

Setup for PPPoE 8/35 Access Concentrator: rdl21.ba Username: ... me ... Password: Access Concentrator (Optional) Service Name (Optional) [ian checked ] Auto-Connect on Disconnect Use Idle Timeout 0 Minutes

Mode

Mode Selection Select the operation mode: [ian radio button checked] Optus Bridge [ian radio button NOT checked] NAPT [ian radio button NOT checked] Full Bridge Remote Access

Remote Management Access

Username: Password: Application Port HTTP FTP Telnet Allow access for 20 minutes

User Profiles

Profile Wizard Current Profiles

# Profile IP Address Actions

0 1 2 3 4 5 Force all users to be identified before surfing

WAN interface

WAN Interface Configuration Wizard Current Configuration

# VC Type Name Actions

0 8/35 PPPoE PPPoE 8/35 Disable Delete button button 1 2 3 4 5 6 7 *Checked interface is the default WAN interface

Host

Host Configuration

IP Address: 10.1.1.1 IP Netmask: 255.255.255.0

Default Gateway: or [ ticked ] Use WAN

Host Name: [ian set to Optusnet ]

DHCP

DHCP Configuration

DHCP Server: [ian radio button checked ] "Enable" [ian radio button NOT checked ] "Disable" [ian radio button NOT checked ] DHCP Relay Relay IP: ian grayed 0.0.0.0

Client IP Address: 10.1.1.3

IP Netmask: [ian 255.255.255.0 ]

Default Gateway: [ian 10.1.1.1 ] or [radio button NOT checked [Self]

DNS Server: [ian blank ] or [radio button CHECKED [Self] Primary or Self

DNS Server: Secondary [ian blank ] (Optional)

Domain Name: [ ian it's set to "domain.invalid" without quotes]

Lease Time (mins): [ian 1 ] Requires a specified DNS or [radio button NOt Checked "Infinite time"

Time Client

Configure Time Zone

Enable Time Client: [ ian radio button Not Checked ] "No" [ ian radio button CHECKED] "Yes"

Primary Server: [ ian time.optusnet.com.au ]

Secondary Server: [ian pool.ntp.org ] (Optional)

Select Time Zone: [ian is 0 ] (minutes from UTC) ian note this is why DNS shows ISP is located in sydney

Static Route Configuration

Currently Configured Static Routes # Destination Net Mask Next Hop Interface Edit Delete Static Route list is empty.

Add Route Destination Net Mask Next Hop Interface [ian ---- select --- with a drop down arrow ] FIREWALL [ian 7 of these] Firewall Level Configuration

Current Firewall level: [ian set to "Low" ]

Select Firewall Level: [ ian drop arrow but currently set to off ] Firewall Snooze Control

Current Snooze interval: [ ian set "Off " "

[radio button ian NOT CHECKED Disable Snooze [radio button ian NOT CHECKED ] Enable Snooze, and set the Snooze time interval to: (minutes) [radio button ian NOT CHECKED ] Reset the Snooze time interval to: (minutes)

DMZ

Firewall DMZ Configuration Current DMZ Status: Enabled Current DMZ Host IP Address: 58.107.93.177 [ian this radio button is CHECKED ] Disable DMZ [radio button ian NOT CHECKED ] Enable DMZ with this Host IP address: [ian 58.107.93.177 ] [radio button ian NOT CHECKED ] Enable DMZ with this Host IP address [ with a drop

down button "Select Host"]] ["refresh" button] [radio button ian NOT CHECKED ] Make Settings Permanent [radio button ian CHECKED ] Make Settings Last Until Modem Reboots [radio button ian NOT CHECKED ] Make Settings Last For: [ ian 60 ] minutes

["Apply" button] ["Reset" button] filter Rules

Firewall IP Filter Configuration Wizard Inbound IP Filter Rules Rule No. Protocol Destination Destination Enable Interface Address Disable Delete

122 GRE any WAN Interface any Protected Protected 124 50 any WAN Interface any Protected Protected

Outbound IP Filter Rules Rule No. Protocol Source Source Enable Interface Address Disable Delete

120 any any WAN Interface any Protected Protected [ian then buttons] "Add New IP Filter Rule" "Clone IP FIlter Level" "Delete All"

Log Firewall Log [ian shows "No Events." ADS Firewall Attack Detection System Configuration

Enable Attack Detection System [ian Checkbox CHECKED ] After enabling the Attack Detection System, select events below to filter and/or log: [checkbox NOT CHECKED } "Filter All" [checkbox NOT CHECKED ] "Log All"

all items have checked "Filter" AND Log check boxes Same Source and Destination Address Broadcast Source Address LAN Source Address On WAN Invalid IP Packet Fragment TCP NULL TCP FIN TCP Xmas Fragmented TCP Packet Fragmented TCP Header Fragmented UDP Header Fragmented ICMP Header Inconsistent UDP/IP header lengths Inconsistent IP header lengths [ "apply" button]

********** end of Firewall options ******************

UPNP

UPnP Configuration

[ian radio button NOT CHECKED ] Disable UPnP [ian radio button NOT CHECKED ] Enable Discovery and Advertisement only (SSDP) [ian radio button CHECKED!!! ] Enable full Internet Gateway Device (IGD) support Options: [ian checkbox NOT CHECKED ] Enable access logging [ian checkbox NOT CHECKED ] Read-only mode

RIP

RIP Configuration

RIP Version Active Interface Disabled 1 2 1&2 Mode Multicast

Local Area Network [x] ian radio button checked] PPPoE 8/35 [x] ian radio button checked]

radio buttons under RIP Active Mode & Multicast NOT checked "apply" and "reset" buttons

Server Ports

SpeedStream Gateway Server Ports

Application Port HTTP 80 FTP 21 Telnet 23

"apply" and "reset" buttons

Dynamic DNS

Set Up Dynamic DNS

Dynamic DNS Client [radio button ian CHECKED ] Disable [radio button ian Not checked ] Enable

Service Username: [ ian blank ] Service Password: [ ian blank ] Host Name 1: [ ian blank ] Host Name 2: [ ian blank ] (Optional)

"apply" and "reset" buttons

***************** end of the mock- up screen prints. ******