Re: Windows TCP/IP Filtering
From: Phillip Windell (_at_.)
Date: Fri, 30 Apr 2004 11:15:54 -0500
Filters are not the way to go (as you are seeing). Besides that, I don't
believe the Window's normal TCP/IP Filters are "statefull" and therefore
can't adjust for the "random client ports". The way to go is to not run
any services on the machine that you don't want accessed. On multihomed
machines you can "unbind" certain services from NICs you don't want them
available on while leaving them bound on the desired NIC(s). If there is
nothing listening on a certain port, then nothing can connect to that port,
so the isn't any point in blocking what isn't there anyway.
Besides, after you have allowed everything you need to do what you implied
you wish to do, then there isn't any protection left anyway because you have
opened up everything that is normally used as the attack vector to start
with. So the answer isn't blocking ports, the answer is correctly and
securely configured "services" and "applications".
-- Phillip Windell [MCP, MVP, CCNA] www.wandtv.com "Wicked" <firstname.lastname@example.org> wrote in message news:91025682-528F-4348-AFC3-7D6ABDCA3F3D@microsoft.com... > Okay, this is killing me. I'm trying to filter out ports using Windows TCP/IP filtering on Windows 2000. I'm only allowing ports 443, 25, 53, 1433, 1434, and 3389. This allows me to server an ssl website, email, dns, sql server, and remote desktop. The problem is, now that I've filtered these ports, I can't resolve any domain names. This mean I can't get my Windows Updates and I can't send any email. I know that dns information is sent out on port 53 if your the dns server and I know that the client gets that information on a random port >1023. My question is how do I configure TCP/IP filtering to handle that? Ho wcan I get my domain resolutions back? Any help would be immensely greatful.