Limiting Internet access with traffic rules

Access to Internet services from the local network can be limited in several ways. In the following examples, the limitation rules use IP translation. For more information refer to Configuring IP address translation.


Rules mentioned in these examples can be also used if Kerio Control is intended as a neutral router (no address translation) — in the Translation entry there will be no translations defined.

  1. Allow access to selected services only. In the translation rule in the Service entry, specify only those services that are intended to be allowed.

Internet connection sharing — only selected services are available

  1. Limitations sorted by IP addresses. Access to particular services (or access to any Internet service) will be allowed only from selected hosts. In the Source entry define the group of IP addresses from which the Internet will be available. This group must be formerly defined in Definitions > IP Address Groups.

Only selected IP address group(s) is/are allowed to connect to the Internet


This type of rule should be used only for the hosts with static IP addresses.

  1. Limitations sorted by users. Firewall monitors if the connection is from an authenticated host. In accordance with this fact, the traffic is permitted or denied.

Only selected user group(s) is/are allowed to connect to the Internet

  1. Alternatively you can define the rule to allow only authenticated users to access specific services. Any user that has a user account in Kerio Control will be allowed to access the Internet after authenticating to the firewall. Firewall administrators can easily monitor which services and which pages are opened by each user.

Only authenticated users are allowed to connect to the Internet


Usage of user accounts and groups in traffic policy follows specific rules.