Editing Windows firewall ruleset for 2003 Std ?

From: Paul (paulo_at_digitalcraftsmen.net)
Date: 08/18/05


Date: 18 Aug 2005 08:41:31 -0700

I have an application that sends http request packets to a microsoft
loopback adapter on 172.31.1.1 (not 127.0.0.1 ), the response is then
sent out via the main interface on 172.31.1.2. The application is
actually an external loadbalancer doing low level MAC re-writing and
needing the answering machine to accept the IP address of 172.31.1.1.

This works perfectly until I turn on the windows firewall. I've
configured both the loopback and external interface to accept
connections on port 80 and can connect and get responses from both
ports on the command line. I found and used the microsoft netsh tool to
turn on logging for the firewall and found that the response packets
are being dropped on their way back out to the calling IP. So the
loopback is still recieving them and IIS is dealing with them and
sending them out through the external interface. The firewall is then
dropping them, I assume for spoofing.

The message in the firewall log is

DROP TCP 172.31.1.1 123.123.123.123 80 dest etc

So I think the firewall is dropping the outbound packets because they
are pretending to originate from the loopback IP but coming from the
external interface.

My question is how do I set the firewall to allow outbound packets on
ther external interface but from the IP of the loopback. The critical
thing is that I can't add the loopback IP to the external interface
because I need it to not respond to ARP requests while the main IP
should respond to ARP requests. The only way I know of to do this is to
have them on different interfaces.

thanks in advance

Paul

--
PrintWhatYouThink - Slogan tshirts for the individual
http://www.printwhatyouthink.co.uk/


Relevant Pages

  • Re: High CPU util on 3825
    ... it makes better sense to move these functions to a firewall. ... high speed ATM interface on a low-end router. ... packets before they can be inspected and NAT performed. ...
    (comp.dcom.sys.cisco)
  • Editing Windows firewall ruleset for 2003 Std ?
    ... I have an application that sends http request packets to a microsoft ... sent out via the main interface on 172.31.1.2. ... This works perfectly until I turn on the windows firewall. ... sending them out through the external interface. ...
    (comp.security.firewalls)
  • Re: netmasks and subnets
    ... >> applies to your firewall forwarding which, ... it for X,Y,Z reasons), then sending through to an internal interface. ... is not really routing as you know it. ... the packets from one internal interface to another. ...
    (comp.os.linux.networking)
  • Re: Company Firewalls IP Address
    ... At the routing level packets will ALWAYS go to the next-hop which may ... The firewall translates this into and Externally ... routable IP address which lives on the external interface of the firewall. ... > The packets do not have to go directly to the source IP. ...
    (Security-Basics)
  • RE: Packet filters
    ... Bill's post is correct only if the firewall defaults to pass all. ... for each interface you want to pass through the firewall. ... > nature so I need to setup a firewall on the management interface. ... > handling any of the packets on the second interface. ...
    (freebsd-questions)