Re: TCP/IP Packet Filtering
From: Joe Richards [MVP] (humorexpress_at_hotmail.com)
Date: 07/04/04
- Next message: GiGi: "sharing files through security"
- Previous message: harry: "Re: Can't access W2K shares after approx 24 hours"
- In reply to: Steven L Umbach: "Re: TCP/IP Packet Filtering"
- Next in thread: Jim Bohan: "Re: TCP/IP Packet Filtering"
- Reply: Jim Bohan: "Re: TCP/IP Packet Filtering"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 04 Jul 2004 09:01:31 -0400
Yep, possibly this will promote learning anyway.
-- Joe Richards Microsoft MVP Windows Server Directory Services www.joeware.net Steven L Umbach wrote: > So sorry Joe! [Steve hangs his head in shame] I guess the Holiday spirit overcame > me. Hopefully he still has learned.--- Steve > > "Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message > news:%23glnm9VYEHA.3536@TK2MSFTNGP11.phx.gbl... > >>Steve! I was walking him through the figure it out learning process man! Now you >>gave him the fish. >> >>Oh well. >> >> joe >> >>-- >>Joe Richards Microsoft MVP Windows Server Directory Services >>www.joeware.net >> >> >> >>Steven L Umbach wrote: >> >>>First when you are using dns to resolve and internet name you are using port 53 > > udp > >>>"outbound" - not inbound. IP udp filtering is useless for using dns as you need > > to > >>>configure the policy to allow the above 1024 ports for return traffic from the >>>external dns server to your computer which is not practical. For whatever reason > > IP > >>>filtering on tcp knows when inbound traffic is from a response you initiated but > > it > >>>does NOT for udp. I suggest that you leave just port 80 in your list for tcp and > > then > >>>disable udp filtering and create an ipsec filtering policy instead through Local >>>Security Policy. Start with a mirrored block all IP policy for udp. Then add a >>>mirrored rule that permits traffic from your IP to any IP from any port to port > > 53 > >>>udp and you should be all set. By the way, opening port 139 tcp is a HUGE risk if > > you > >>>have file and print sharing enabled on any computer. Ipsec policies take affect >>>almost immediately after being assigned or unassigned and do not require a >>>reboot. --- Steve >>> >>>http://www.securityfocus.com/infocus/1559 --- about ipsec policies >>> >>>"Jim Bohan" <Thread7@hotmail.com> wrote in message >>>news:49c7cba4.0407021328.24267d96@posting.google.com... >>> >>> >>>>I am trying to set up a cheap firewall on my web server which is a >>>>win2k server machine. All I need to do is use IIS on port 80 and do >>>>basic web surfing with IE6. So I used the TCP/IP Packet filtering >>>>feature to PERMIT ONLY ports 80 and 53 (DNS) in both TCP and UDP. >>>>After rebooting, I can serve up web pages via IIS but I can't surf via >>>>IE6. I've done extensive research on this and looked up common port >>>>defs and added PERMITS on ports 139, 137, 161, and 520. And added >>>>PERMITS on IP Protocls 1 to 5, but still no luck. >>>> >>>>I tried the exact same thing on a whole different network that happens >>>>to be behind a cable/DSL router. The funny thing about that is I can >>>>use ie6 to connect to a web server behind the router, but can't surf >>>>on the general internet. >>>> >>>>Any suggestions? >>>> >>>>Thanks, >>>> >>>>Thread7 >>> >>> >>> > >
- Next message: GiGi: "sharing files through security"
- Previous message: harry: "Re: Can't access W2K shares after approx 24 hours"
- In reply to: Steven L Umbach: "Re: TCP/IP Packet Filtering"
- Next in thread: Jim Bohan: "Re: TCP/IP Packet Filtering"
- Reply: Jim Bohan: "Re: TCP/IP Packet Filtering"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
