How to use Windows 2k tcp/ip filter?

[aceO07]

How would I set up TCP/IP Filtering on Windows 2K as an effective firewall. This is a server machine that runs FTP, Web Server, and Citrix.

What ports and options would I need to set? Is there a way to see what ports a service is using? Unfortunately I only know a few ports that I need to open up, so I need to figure out what other ports need to be open..

 

[MercenaryForHire]

Effective firewall + Windows = *implosion*

Is using a second piece of hardware (SoHo router, BSD/Nix box) an option?

- M4H

 

[n0cmonkey]

Are you planning on it being a gateway firewall?

netstat can help you figure out which ports are in use, and something like fport can help you figure out what is on those ports.

 

[aceO07]

I'm sure there are other options, however for right now I want to get it up and running with some sort of firewall. I was using ZoneAlarm before and it's not fully compatible with Win2K Server. It was causing problems, so I uninstalled it and network still isn't freezing anymore. BUT, I don't have a firewall anymore.

It's not a gateway. Just a webserver. I want to controll what's getting into the computer. Since I uninstalled ZoneAlarm, there's nothing really doing any blocking. I want to piece together a firewall for at least today, until next week.

Win2k IpSec is what I'm looking at now. I'm set it to block all TCP and only permit ports 80, 21. However, then I can't do any browsing on that computer. So, I'm trying to figure out what needs to be unblocked.

Thanks for the suggestion about the fport. It seems like it could help.

 

[n0cmonkey]

Interesting, I don't think IPSEC really does firewalling. You might want to try something like kerio. It's another software firewall product, and I think it offers better/more options than ZA.

 

[aceO07]

I'm doing reading from this website. http://homepages.wmich.edu/~mchugha/w2kfirewall.htm

That leads me to believe that it is a firewall. I have it sent up now and I've blocked ALL TCP port. By enabling and disabling port 21, I tested with accessing FTP server. It does seem to work. However, it takes a while to set up.

I still can't webbrowse on that computer, but other functions seem to be working.

 

[n0cmonkey]

Originally posted by: aceO07
I'm doing reading from this website. http://homepages.wmich.edu/~mchugha/w2kfirewall.htm

That leads me to believe that it is a firewall. I have it sent up now and I've blocked ALL TCP port. By enabling and disabling port 21, I tested with accessing FTP server. It does seem to work. However, it takes a while to set up.

I still can't webbrowse on that computer, but other functions seem to be working.

Ok, IPSEC usually refers to VPNs, but from looking at a definition of it it can refer to a number of things.

You can setup a rule (check the "filter properties" screen shot on that page) to allow basic web browsing (although you should not be browsing from a webserver).

Source address: My IP Address
Destination address: Any IP Address
Protocol type: TCP
From any port
To this port: 80

That will allow you to reach any webserver that is running on the standard port.

 

[aceO07]

Yup, I've set up IpSec to permit TCP port 80, but it still doesn't work. I may have to look at it again.

It seems to be working well expect that. No more unknown errors that were probably from ZoneAlarm. Unfortunately there doesn't seem to be any way of tracking what did get blocked...

edit: It's useful for me to have web access on that computer since sometimes Google is my best resource.

 

[n0cmonkey]

Originally posted by: aceO07
Yup, I've set up IpSec to permit TCP port 80, but it still doesn't work. I may have to look at it again.

It seems to be working well expect that. No more unknown errors that were probably from ZoneAlarm. Unfortunately there doesn't seem to be any way of tracking what did get blocked...

If the machine is a webserver, then you should allow port 80 requests. If you're browsing from it, you need to be able to access port 80 on other machines (which I described how to do).

I don't know whether IPSEC on Win2k is first match or last match, so I can't help with the next part. Are you sure your rules are ordered correctly?

 

[aceO07]

It doesn't matter that it can't web browse, at least not for now. I'll look into your idea next week. Now it's time for the weekend to start. Thanks. Now I can rest easier...

 

[n0cmonkey]

Originally posted by: aceO07
It doesn't matter that it can't web browse, at least not for now. I'll look into your idea next week. Now it's time for the weekend to start. Thanks. Now I can rest easier...

:beer:

 

[aceO07]

I ran the server through some port probes from a couple of online websites (http://probe.hackerwatch.org/probe/) and it seems to be blocking all the ports except the ones we need.

So far so good. I can also webbrowse from it now.