Re: Windows TCP/IP Filtering

From: Phillip Windell (_at_.)
Date: 04/30/04


Date: Fri, 30 Apr 2004 11:15:54 -0500

Filters are not the way to go (as you are seeing). Besides that, I don't
believe the Window's normal TCP/IP Filters are "statefull" and therefore
can't adjust for the "random client ports". The way to go is to not run
any services on the machine that you don't want accessed. On multihomed
machines you can "unbind" certain services from NICs you don't want them
available on while leaving them bound on the desired NIC(s). If there is
nothing listening on a certain port, then nothing can connect to that port,
so the isn't any point in blocking what isn't there anyway.

Besides, after you have allowed everything you need to do what you implied
you wish to do, then there isn't any protection left anyway because you have
opened up everything that is normally used as the attack vector to start
with. So the answer isn't blocking ports, the answer is correctly and
securely configured "services" and "applications".

-- 
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
"Wicked" <anonymous@discussions.microsoft.com> wrote in message
news:91025682-528F-4348-AFC3-7D6ABDCA3F3D@microsoft.com...
> Okay, this is killing me. I'm trying to filter out ports using Windows
TCP/IP filtering on Windows 2000. I'm only allowing ports 443, 25, 53, 1433,
1434, and 3389. This allows me to server an ssl website, email, dns, sql
server, and remote desktop. The problem is, now that I've filtered these
ports, I can't resolve any domain names. This mean I can't get my Windows
Updates and I can't send any email. I know that dns information is sent out
on port 53 if your the dns server and I know that the client gets that
information on a random port >1023. My question is how do I configure TCP/IP
filtering to handle that? Ho wcan I get my domain resolutions back? Any help
would be immensely greatful.