Re: Windows TCP/IP Filtering

From: Phillip Windell (_at_.)
Date: 04/30/04


Date: Fri, 30 Apr 2004 11:15:54 -0500

Filters are not the way to go (as you are seeing). Besides that, I don't
believe the Window's normal TCP/IP Filters are "statefull" and therefore
can't adjust for the "random client ports". The way to go is to not run
any services on the machine that you don't want accessed. On multihomed
machines you can "unbind" certain services from NICs you don't want them
available on while leaving them bound on the desired NIC(s). If there is
nothing listening on a certain port, then nothing can connect to that port,
so the isn't any point in blocking what isn't there anyway.

Besides, after you have allowed everything you need to do what you implied
you wish to do, then there isn't any protection left anyway because you have
opened up everything that is normally used as the attack vector to start
with. So the answer isn't blocking ports, the answer is correctly and
securely configured "services" and "applications".

-- 
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
"Wicked" <anonymous@discussions.microsoft.com> wrote in message
news:91025682-528F-4348-AFC3-7D6ABDCA3F3D@microsoft.com...
> Okay, this is killing me. I'm trying to filter out ports using Windows
TCP/IP filtering on Windows 2000. I'm only allowing ports 443, 25, 53, 1433,
1434, and 3389. This allows me to server an ssl website, email, dns, sql
server, and remote desktop. The problem is, now that I've filtered these
ports, I can't resolve any domain names. This mean I can't get my Windows
Updates and I can't send any email. I know that dns information is sent out
on port 53 if your the dns server and I know that the client gets that
information on a random port >1023. My question is how do I configure TCP/IP
filtering to handle that? Ho wcan I get my domain resolutions back? Any help
would be immensely greatful.


Relevant Pages

  • Re: file/printer sharing
    ... The ports that I listed are what the File and Printer Sharing service, ... With WF, which filters both incoming and outgoing traffic, you enable a preset ... With Sygate PF, which is rules based, but has a gui interface, I think you ...
    (microsoft.public.windowsxp.network_web)
  • Re: Forwarding by source IP: Linksys BEFSX41?
    ... I asked here about routers that support forwarding based on the ... but I could set up packet filters for four specific ... > ports, then forward each to the appropriate PC. ... it appears Filters also preempt "Block WAN Requests." ...
    (comp.security.firewalls)
  • Re: Firewall and Home Network
    ... Generally speaking your incoming filters will prevent "unsolicited" attempts ... is the case with your router. ... As far as outbound filters I've seen them implemented in several ways. ... Or you can start with everything open and then close down the ports you ...
    (comp.security.firewalls)
  • RE: Query: Filtered Ports I do not use. Should i be worried?
    ... Subject: Query: Filtered Ports I do not use. ... I ran a scan from an external network on various ports. ... DLINK to PBX. ... it filters! ...
    (Security-Basics)
  • Re: Sending An eMail From Native Windows Command Language?
    ... hostname I defined in DynDNS is always the same but my account there ... filters out references to DynDns and, I assume, to similar ... If it's DNS, just use a different DNS server. ...
    (microsoft.public.windowsxp.general)