Re: ICF problems win Win2003

From: S. Pidgorny (
Date: 11/22/03

  • Next message: S. Pidgorny : "Re: routing and remote access don't generate firewall connection logs ?!?"
    Date: Sat, 22 Nov 2003 10:16:07 +1100


    It's interesting to know why your ISP reckons you need another firewall.
    Have they actually proven that your Netgear has a vulnerability that opens
    your network to attack, or they just know your requirements better than you?

    Anyway, you have so many options: you can implements something Linux/BSD
    based on cheap PC hardware - iptables/Netfiler for purists, or
    free/inexpensive stuff like Openwall or Smoothwall; you can use inexpensive
    yetfully featured firewall appliances, or you can install firewall like
    Microsoft ISA Server on your Windows server. I use the latter, but it's up
    to you to decide. Again, don't take your ISP word about your Netgear as
    authoritative - ask questions.

    More info in the FAQ:

    Svyatoslav Pidgorny, MVP, MCSE
    -= F1 is the key =-
    "Vincent Haakmat" <> wrote in message
    > Ok... makes sense... We have a firewall from Netgear, but according to my
    > ISP, I need to get a better one. They recommended CISCO, but it is too
    > expensive for  our business (only 50 PCs).
    > Can anyone recommend something better that won't break our wallet?
    > Thanks
    > Vincent
    > "David Wang [Msft]" <> wrote in message
    > news:uY0OHGBsDHA.1196@TK2MSFTNGP12.phx.gbl...
    > > If this server is multi-homed, then just enable ICF on the Public NIC
    > > not on the Private NIC
    > >
    > > If this server has only one NIC and both the server and LAN are not
    > a
    > > firewall from the Router/Gateway, what you are trying to do is pretty
    > > insecure and defeats running a firewall on the server.
    > >
    > > There are two general topologies that you can consider for small-time
    > > servers.
    > > 1. The server is dual-homed (i.e. "Gateway") on the broadband connection
    > and
    > > LAN, with a firewall running either on the server's external NIC or on
    > > local router-device upstream from the web server
    > > 2. The web server is an internal LAN server, and the Gateway must have
    > logic
    > > to either forward requests based on ports, host header, or IP address to
    > and
    > > from this internal LAN server
    > >
    > > Both topologies allow unrestricted access by your LAN clients to the LAN
    > > server's interface, and highly restricted external access to your
    > > public interface.
    > >
    > > -- 
    > > //David
    > > IIS
    > > This posting is provided "AS IS" with no warranties, and confers no
    > rights.
    > > //
    > > "Vincent Haakmat [393242]" <> wrote in message
    > > news:ewIqSrrrDHA.560@TK2MSFTNGP11.phx.gbl...
    > > I have an exchange server 2003 running on my win2003 server. Because it
    > > directly connected to the net i wanted to use ICF. But if I do, the
    > > computers on the LAN can't connect to it. WHich ports (UDP-IP) do I need
    > to
    > > enable so that the can still access normal file and print services from
    > it?
    > >
    > >
    > >

  • Next message: S. Pidgorny : "Re: routing and remote access don't generate firewall connection logs ?!?"

    Relevant Pages

    • Re: SMTP will not connect
      ... This webserver is outside of my office LAN. ... I have no idea how to see what's in the firewall, ... The server allows email sending and it receives emails. ... > That doesn't mean Exchange isn't being a mail server. ...
    • Re: Security, Distributed firewalling application...long ;-)
      ... > redirected to internal IP space DMZ server running web-apps ... Do note that that's a lot of services to offer inside the LAN (instead ... firewall configuration, can be used to 'persuade' it to). ... Running an IDS on the local network. ...
    • Re: Dual NIC Default Gateway Configuration
      ... This firewall opens ports for e-mail, ... The workstations on the LAN, ... The Windows 2003 SBS in question serves multiple ... mail server will bind to that IP address and that IP ...
    • Re: Remote Desktop
      ... I have recently added a second windows 2003 std server to ... were setup with names longer then 15-characters. ... >If you can't connect on LAN then it's not VPN problem. ... >firewall settings on clients e.g. disable firewall for a ...
    • Sonicwall XPRS2 & SOHO3
      ... SOHO3 (LAN 2, since last friday) firewall rispectively. ... Users may connect from LAN 2 to LAN 1 a UNIX server (by telnet session), ...