Re: TCP/IP Filtering in Windows 2000?

From: Alex Homer (alex@stonebroom.com)
Date: 01/27/03

• Next message: Hector Santos: "Re: Unchecked Buffer"
• Previous message: Ted Howard: "Re: SP3 for MSDE 2000"
• In reply to: Benny Amorsen: "Re: TCP/IP Filtering in Windows 2000?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Alex Homer" <alex@stonebroom.com>
Date: Mon, 27 Jan 2003 20:28:22 -0000

Thanks, I suspected from monitoring the packets that something like this was
the case. ISA and other firewalls open the return port automatically I
assume, and this is why simply specifying the same set of ports in Win2K
TCP/IP Filtering doesn't work.

"Benny Amorsen" <beamo@wmdata.com> wrote in message
news:uGxAYpfxCHA.2680@TK2MSFTNGP09...
> Alex Homer wrote:
>
> > If I set UDP
> > Ports to "Allow only", and then add the same ports as TCP, plus all
> > the others that several people have suggested at various times (69,
> > 139, 520, etc.) then browsing produces "Not found" and ping produces
> > "Server not found". After several attempts over a long period, the
> > results are always as above. It can only be that I need to open
> > another port. But which one?
>
> You need to open all ports above 1023. See, the DNS is
> a packet coming from some port above 1023 on your
> machine and going to port 53 on the DNS server. Then
> the DNS server replies, source port 53 and destination
> port something above 1023. Since the Windows 2000
> port blocking is stateless, this gets blocked.
>
> Since almost all machines need to be DNS clients and
> it is impossible to open ranges of ports, the Windows
> 2000 port blocking is practically useless for UDP.
>
> It is possible to use IP security policies instead.
>
>
> Best regards,
>
> Benny Amorsen
>
>
>

• Next message: Hector Santos: "Re: Unchecked Buffer"
• Previous message: Ted Howard: "Re: SP3 for MSDE 2000"
• In reply to: Benny Amorsen: "Re: TCP/IP Filtering in Windows 2000?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: resolver latencies return in Mozilla 1.6 ... I have watched the packets going out and I ... >> ISP's DNS server keeps rejecting. ... What's weird is that for these failing conversations my firewall doesn't seem ... Same sequential port numbers, but no ICMPs, no "ServFail" packet (whatever ... (comp.unix.bsd.freebsd.misc) Re: Unknown svchost.exe DNS port 53 network activity ... activity on my router as well as my PC LAN connection icon in the tray. ... port 53 with a remote address of my ISP's DNS server. ... No traffic can come to the machine, unless you have opened the inbound port ... Svchost allows the communication between machines in a LAN or WAN situation. ... (comp.security.firewalls) RE: problems receiving e-mail to my server redux ... I installed BIND on my Linux box and set it up to start at every ... > To: Ed McCorduck ... > run a dns server if you want things to work. ... > which implies that you are trying to use port 80 for your dns server. ... (RedHat) Re: SendPort ... If you want your DNS server should listen on port other than 53, ... the best way would be to have a firewall or set up NAT, ... on which the DNS servers is listening then what will you achieve with this? ... (microsoft.public.windows.server.dns) Re: questionable access to my computer - please help ... > Download portref.zip from: wilders.org for a full port reference listing. ... > If the firewall is blocking internet access to that addy, ... even shows you that it _is_ a DNS server. ... The only question here is what is more stupid, this firewall simulation ... (comp.security.firewalls)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint