Re: RPC server is unavaible

Tech-Archive recommends: Fix windows errors by optimizing your registry


"HawleyBeach" <HawleyBeach@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:C7DEF857-D34C-4D85-97E8-F0CE2756B3D8@xxxxxxxxxxxxxxxx
Hi Martin,
Just by accident, i thought opening firewall to let access to external DNS
servers (not too bad huh ;-) )
I have found this web site http://support.microsoft.com/kb/179442 on how
to
configure a firewall for DC. But i am not sure how to fit in port, UDP,
TCP
to zonealarm trust setting? On the ZoneAlarm, i can add trust by IP /
Subnet/
IP range / Host as shown but they don't seem to fit in with UDP/ TCP etc:
http://i132.photobucket.com/albums/q11/plee61/ZoneAlarm.jpg

If you look around (I haven't used ZA in years) you will find there
are more advanced settings for the individual protocols/ports/services
(all mean pretty much the same thing in THIS context) as well as general
settings for trusting an ENTIRE address or range.

Let's say you had a server on the Internet that did JUST Web services
using default settings and NO SSL (https).

It would ONLY need to accept connections on port TCP 80 (default for
HTTP) but it would need to trust the ENTIRE world (or most of it
anyway) on that port.

Were you to add a trust range for all machines the firewall would then be
useless, but if you only opened TCP Port 80 it would still let web services
be use (by everyone) but nothing else.

More complicated schemes might require you to open RDP from a (small)
range of machines so you could use Remote Desktop or Terminal Services
to admin this box. You wouldn't want to let just anyone (try to) connect to
your Remote Desktop but you would need to make an exception for your
own range of machines.

Make sense?

You can filter (firewall is a form of filtering) on Source and Destination
Ports for both TCP & UDP, as well as Source and Destination addresses,
(or combos of both) with more decent firewall software including ZA.

Some filtering schemes let you filter on other things (like other protocols
ICMP, or even data in the packets) but that isn't the issue here.

TCP and UDP both use ports to represent particular services -- typically
only ONE web services can "listen" on "Port 80".

The analogy is this:

You IP is like a (large) company main switchboard phone number, and the
Port is likethe EXTENSION within that companies phone system.

So to contact a unique service ANYWHERE on the Internet you must
know the IP Address (already unique to the machine) and the Port
number (unique to A SERVICE on that machine.)

It is slightly complicated by the distinction of UDP has ports and TCP
has ports and these are technically unrelated -- even though a few
services like DNS use both and typically use the same number for
both TCP and UDP even though they are distinct.

So to be accurate:
To contact a unique service ANYWHERE on the Internet you must
know the IP Address (already unique to the machine) and the Protocol
and Port number (unique to A SERVICE on that machine.)

Default ports however are built into the various networking clients which
then expect "their" services to run on those ports; this prevents ordinary
users from generally having to deal with port issues.

You've probably seen a URL like this:

http://www.domain.com:8000

....that is a web service (PROBABLY) that is running on the NON-default
port of 8000 so someone (user, link etc) must tell the web client to
contact the server on that port instead of port 80.
--
Herb Martin, MCSE, MVP
http://www.LearnQuick.Com
(phone on web site)


.

Relevant Pages

  • Re: Easy RRAS VPN question
    ... When NAT-T is used port 1701 UDP ... to go through a firewall directly then port 1701 UDP needs to be open. ... >> accessed from the internet. ...
    (microsoft.public.windows.server.networking)
  • Re: Open port PIX 501
    ... :i can't open the port in my PIX. ... :I need open the port 1000 to point to the IP 10.254.254.222. ... in practice only DNS servers doing zone transfers need tcp. ... of UDP, it would be a highly unusual client which did not stick ...
    (comp.dcom.sys.cisco)
  • Re: excessive TCP dulplicate acks revisted
    ... The tcp duplicate ACK attack is back. ... there was a thread on duplicate TCP acks in -CURRENT. ... TCP STREAM TEST from localhost port 0 AF_INET to greenhouse- george.18clay.com port 0 AF_INET ... Socket Socket Message Elapsed ...
    (freebsd-current)
  • excessive TCP dulplicate acks revisted
    ... The tcp duplicate ACK attack is back. ... there was a thread on duplicate TCP acks in -CURRENT. ... TCP STREAM TEST from localhost port 0 AF_INET to greenhouse- george.18clay.com port 0 AF_INET ... Socket Socket Message Elapsed ...
    (freebsd-current)
  • RE: DNS Records
    ... tcp>1023 53 Client queries with long replies ... On other client types, ... if you lock down all but port ... a client queries an initial server from an unreserved port number to UDP ...
    (Security-Basics)