TCP/IP Filtering

From: dave kleiman (dave@netmedic.net)
Date: 10/22/02 

From: "dave kleiman" <dave@netmedic.net>
Date: Mon, 21 Oct 2002 18:21:20 -0700

I have discovered (not sure if that is the right word) an
interesting thing in reference to using TCP/IP Filtering
on a W2000 client.
          
I was attempting to setup my home system using the built
in TCP/IP Filtering. I Allowed only Ports 25 Mail, 53
DNS, 67&68 DHCP, and 80&443 Internet.

Well I found out that DNS returns to a client on a port
>1024. So I picked the first 3 unassigned above 1024
ports. Well that worked until the third time I opened a
web browser (no DNS resolution). I looked with NETSTAT -na
and found that it was now trying to use a port higher than
the 3 I selected. I opened up 10 more >1024 ports. Well
the worked till about the 7th time I opened the web
browser.

I checked again it was now trying to use higher ports.
Well I continued this watching NETSTAT show that each
subsequent DNS request went up the above >1024 ladder.
The thing I could not figure out was how to reset/release
the previously used ports.

I waited for 24 hours, thinking it was a timeout issue,
and tried again it went up to the next port (not used yet)
>1024. I tried disabling and re-enabling the Interface,
ipconfig /renew and /flushdns but it still new to go up
past the last >1024 port used.

Rebooting the machine was the only way to start over. Of
course examining again yielded the same results.
  
Do you know a way to flush out the system to release or
reuse those same ports without rebooting?

Thanks,

Dave

Relevant Pages

  • RE: TCP/IP Filtering problem on W2KAS
    ... The problem is that if you are listing ports that are 'allowed' and you ... don't list every dynamic port used by a client to access the DNS ... "Using IPSec to Lock Down a Server": ... I find using the IPSec filters MUCH more useful then the TCP/IP Filtering. ...
    (Focus-Microsoft)
  • Re: Client need to key in credential to access shared folder
    ... We have even try to open all services bet the two domain to check it is the firewall that blocking the ports but the problem still persist. ... The ports bet Client and DC have already been open up. ... >> All my client and server have already specified their own internal DNS ... > join to a existing forest which has only domain B. ...
    (microsoft.public.win2000.active_directory)
  • Re: TCP/IP filtering and opening DNS
    ... > I am having some problems with TCP/IP filtering and DNS with my ... > know its something with DNS. ... You also need to open ports above 1024 for outgoing connections. ...
    (microsoft.public.win2000.dns)
  • Re: Is This Normal DNS Behavior on a Server2003 SP2 Domain Controller
    ... Protection against the Microsoft DNS Cache Poisoning Vulnerability ... These response or service ports, are used by all Windows communications. ... How to reserve a range of ephemeral ports on a computer that is running Windows Server 2003 or Windows 2000 Server ...
    (microsoft.public.windows.server.dns)
  • Re: Issue with port blocking on public DNS server
    ... I am talking about the "Destination Ports" in the "Responses to local DNS ... names (other then the domain names in my own DNS server) on the servers. ... Filtering outbound requests on port 53 FROM the DNS to the Internet ...
    (microsoft.public.windows.server.dns)