Re: NAT with IP Filters
- From: "Jerome Baum" <gratemyl@xxxxxxxxx>
- Date: 29 Dec 2006 08:18:32 -0800
inline
Phillip Windell wrote:
If the connection is NATed, then you have a firewall already. NAT does not
allow anything inbound, ever,...unless you go out of your way to configure
Static NAT (inbound) connection on purpose. You don't have to actively
"block" what isn't going to happen in the first place. It does not mean
you have disabled the firewall if you aren't filtering specific ports. But
on the outbound direction NAT lets it all flow unless you "overcome" that
with outbound filtering.
I was not clear with what I meant. The NAT server itself runs services
such as IIS and those. I need ports such as 3389 for RDP open since I
have no local KVM. The point is, I would like to block all connections
but those established by clients on the virtual interfaces (there are
more than just that one) and those to specific ports (e.g. 3389, 80,
443).
Of course, I could ensure that no programs are listening on the public
interface, but this is far more tedious than simply telling the routing
service to only allow certain ports to be connected to.
The point is, the "firewall" (inbound filters) of the routing service
are fine except that they don't allow outgoing connections via e.g. TCP
from the internal interfaces.
Thanks again!
As far as OpenVPN,...never heard of it,..have no idea if it is a hardware
device or software or how you deployed it, or even if you deployed it
properly. So I can't really comment on that at this point.
OpenVPN: I have worked with it for quite a while and am sure that it is
configured correctly. I only mentioned it in case.
--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
The views expressed are my own (as annoying as they are), and not those of
my employer or anyone else associated with me.
-----------------------------------------------------
"Jerome Baum" <gratemyl@xxxxxxxxx> wrote in message
news:1167399034.934120.186350@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi!
I have a dedicated server on which I cannot install a custom firewall
(dedicated server, no KVM) and the windows firewall is disabled when
Routing and Remote Access is enabled.
So I use inbound filters instead of a firewall. But I have an interface
(OpenVPN) which is NAT'd. Those connected to this interface need access
to the Internet.
I have found that creating a rule to allow "Any" traffic (practically
disabling the firewall) will grant access to this interface.
I have a rule to allow all "TCP [established]" traffic, so I don't see
why I have to disable the entire firewall for that interface to gain
outward TCP access. I have no Outbound filters on the external
interface and no filters at all on the mentioned internal interface.
I would be thankful for any help!
-jerome
.
- Follow-Ups:
- Re: NAT with IP Filters
- From: Jerome Baum
- Re: NAT with IP Filters
- References:
- NAT with IP Filters
- From: Jerome Baum
- NAT with IP Filters
- Prev by Date: Re: VPN or IPSEC?
- Next by Date: Re: Unable to access Windows 2003 shares
- Previous by thread: NAT with IP Filters
- Next by thread: Re: NAT with IP Filters
- Index(es):
Relevant Pages
|
