Re: Win2K, IPsec, and allowing outbound HTTP/FTP traffic

From: Steven L Umbach (sumbach_at_ameritech.net)
Date: 08/06/03


Date: Wed, 06 Aug 2003 18:51:01 GMT


Hi Jeri. I have set up several ipsec filter policies that worked. I always
used one mirrored default block rule: source address - any, destination
address - my address, source port -any, destination port - any, protocol -
any, filter action - block. I would then create specific exemption rules for
the allowed inbound and outbound traffic. You will have to have two separate
mirrored rules for port 80 - one for inbound to your web server and one
outbound to internet web servers if you want to access the internet from it.
A mirrored inbound port 80 alone would not allow you to access the internet,
it just allows your webserver to connect to internet clients on their above
1024 ports to establish the connection from it's port 80. You also need to
add udp for port 53 dns. Tcp port 53 is usually for zone transfers. Ping is
ICMP. You may also want to add port 443 for https if you plan on using it
for secure web sites. Ipsec rules do not work like ordinary firewall rules.
A specific rule is supposed to override any general rules. --- Steve

"Jeri Morris" <jerimorris2000@yahoo.com> wrote in message
news:0df901c35c3d$2a28c020$a601280a@phx.gbl...
> Just tried that, and my Win2K box still isn't able to
> initiate outbound traffic.
>
> I disabled the All Inbound rule temporarily, and *was*
> able to initiate outbound traffic, so even though that
> rule is specific to inbound traffic, it seems to be what's
> causing the problem. It's set up as follows:
>
> Source address: Any IP Address
> Destination address: My IP Address
> Mirrored: No (changing to Yes doesn't make a difference)
> Protocol type: Any
>
> I added the following filters to my All Outbound rule to
> no avail:
>
> Filter Action: Permit
> Source: My IP address
> Destination: Any IP address
> Mirrored: Yes
>
> Protocol Type: TCP / Source port: Any / Destination port:
> 80
> Protocol Type: TCP / Source port: Any / Destination port:
> 53
> Protocol Type: TCP / Source port: Any / Destination port:
> 7 (ping)
> Protocol Type: TCP / Source port: Any / Destination port:
> Any
> Protocol Type: Any
>
> This should more than allow any outbound traffic, but I
> still can't get from my Win2K box to the outside world
> through HTTP or even Ping.
>
> I can't help but think that it's something stupid. Any
> suggestions for things (even stupid things) to look for?
>
> Jeri Morris jerimorris2000@yahoo.com
>
> >-----Original Message-----
> >Hi Jeri. At first glance it looks like the all outbound
> rule would permit that,
> >but apparently the block all inbound is countering it for
> the return connection
> >ports. I would try to add specific rules for the outbound
> ports you want and
> >mirror them. For instance: source address - my address,
> destination address -
> >any [or specific list], source port - any, destination
> port - 80, protocol -
> >tcp. You may also need to add dns port 53 outbound for
> internet access,
> >depending on your dns setup. -- Steve
> >
> >
> >"Jeri Morris" <jerimorris2000@yahoo.com> wrote in message
> >news:008701c35b68$9aeac770$a301280a@phx.gbl...
> >> I have a Windows 2000 server that's used only as a
> web/ftp
> >> server, and is otherwise accessible only through
> Terminal
> >> Services. It's not used as a file or print server.
> >>
> >> I have IPsec set up as follows:
> >>
> >> Permit:
> >>
> >> (All of the following are mirrored, matching packets
> with
> >> the exact opposite source and destination addresses.)
> >> - HTTP (TCP and UDP port 80)
> >> - Terminal Services (TCP port 3389 and RDP)
> >> - FTP (TCP ports 20 and 21)
> >>
> >> Permit:
> >>
> >> - All outbound traffic (also mirrored)
> >>
> >> Block:
> >>
> >> - All inbound traffic (not mirrored)
> >>
> >> This allows the server to handle all incoming HTTP and
> FTP
> >> traffic and blocks all other inbound traffic. However,
> >> unfortunately, it also blocks outbound HTTP and FTP
> >> requests. I can't use a browser (e.g., for Windows
> Update)
> >> or FTP to get from my server to anything else.
> >>
> >> Any suggestions on what I need to do to enable outbound
> >> HTTP and FTP?
> >>
> >> Thanks very much.
> >>
> >> Jeri Morris jerimorris2000@yahoo.com
> >
> >
> >.
> >



Relevant Pages