Your table is good except for dns what use port 53
The final table have to look like this (formatted here as a batch using
netsh cmd line for easy to update and reapply)
here some variables need to be defined at start of the batch :
MyIf = the name of your internet connexion in rras (as you name it)
MyIp = your computer ip
MyMk = you computer mask
Symbol '->' used here to indicate a single line continuation
So delete it and the
(work based on a Microsoft article on filtering/securing servers)
---------------------------
set local
set MyIf = "Internet"
set MyIp = "1.2.3.4"
set MyMk = "255.255.255.255"
:// drop all packets except for those matching defined input filters
netsh routing ip set filter name="%MyIf%" filtertype=INPUT action=DROP
: Rules for MyIp as a Internet client
:// enable dns lookup requests from MyIp to Any and responses to MyIp from
Any
netsh routing ip add filter name="%MyIf%" filtertype=INPUT ->
srcaddr=%MyIp% srcmask=%MyMk% dstaddr=0.0.0.0 dstmask=0.0.0.0 ->
proto=UDP srcport=0 dstport=53
netsh routing ip add filter name="%MyIf%" filtertype=INPUT ->
srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=%MyIp% dstmask=%MyMk% ->
proto=UDP srcport=53 dstport=0
:// enable dns server referral requests from MyIp to Any and responses to
MyIp from Any
netsh routing ip add filter name="%MyIf%" filtertype=INPUT ->
srcaddr=%MyIp% srcmask=%MyMk% dstaddr=0.0.0.0 dstmask=0.0.0.0 ->
proto=TCP srcport=0 dstport=53
netsh routing ip add filter name="%MyIf%" filtertype=INPUT ->
srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=%MyIp% dstmask=%MyMk% ->
proto=TCP-EST srcport=53 dstport=0
: Rules for MyIp as a Internet Server (http, smtp, pop3 and ts)
:// enable http requests from Any to MyIp
netsh routing ip add filter name="%MyIf%" filtertype=INPUT ->
srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=%MyIp% dstmask=%MyMk% ->
proto=TCP srcport=0 dstport=80
netsh routing ip add filter name="%MyIf%" filtertype=INPUT ->
srcaddr=%MyIp% srcmask=%MyMk% dstaddr=0.0.0.0 dstmask=0.0.0.0 ->
proto=TCP-EST srcport=80 dstport=0
:// enable smtp requests from Any to MyIp
netsh routing ip add filter name="%MyIf%" filtertype=INPUT ->
srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=%MyIp% dstmask=%MyMk% ->
proto=TCP srcport=0 dstport=25
netsh routing ip add filter name="%MyIf%" filtertype=INPUT ->
srcaddr=%MyIp% srcmask=%MyMk% dstaddr=0.0.0.0 dstmask=0.0.0.0 ->
proto=TCP-EST srcport=25 dstport=0
:// enable pop3 requests from Any to sPop3Addr
netsh routing ip add filter name="%MyIf%" filtertype=INPUT ->
srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=%MyIp% dstmask=%MyMk% ->
proto=TCP srcport=0 dstport=110
netsh routing ip add filter name="%MyIf%" filtertype=INPUT ->
srcaddr=%MyIp% srcmask=%MyMk% dstaddr=0.0.0.0 dstmask=0.0.0.0 ->
proto=TCP-EST srcport=110 dstport=0
:// enable terminal server requests from Any to MyIp
netsh routing ip add filter name="%MyIf%" filtertype=INPUT ->
srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=%MyIp% dstmask=%MyMk% ->
proto=TCP srcport=0 dstport=3389
netsh routing ip add filter name="%MyIf%" filtertype=INPUT ->
srcaddr=%MyIp% srcmask=%MyMk% dstaddr=0.0.0.0 dstmask=0.0.0.0 ->
proto=TCP-EST srcport=3389 dstport=0
end local
---------------------------
Note that last rule can be more restrictive as :
:// enable terminal server requests from A SPECIFIC IP (here say 2.3.4.5)
to MyIp
netsh routing ip add filter name="%MyIf%" filtertype=INPUT srcaddr=2.3.4.5
srcmask=255.255.255.255 dstaddr=%MyIp% dstmask=%MyMk% proto=TCP srcport=0
dstport=3389
netsh routing ip add filter name="%MyIf%" filtertype=INPUT srcaddr=%MyIp%
srcmask=%MyMk% dstaddr=2.3.4.5 dstmask=255.255.255.255 proto=TCP-EST
srcport=3389 dstport=0
to enable only 2.3.4.5/255.255.255.255 to access your server via termserver
Or use more than on similar rules for multiples 'admin ips', that can be
subnets (ie one admin at 2.3.4.5/255.255.255.255 and all admins from
3.4.5.0/255.255.255.192, and so on)
Francis
-----Message d'origine-----
De : jhon wong [mailto:[EMAIL PROTECTED]
Envoyé : samedi 27 septembre 2003 04:12
À : [EMAIL PROTECTED]
Objet : [xmail] Re: question about RDNS
Francis,
Thanks for your guide. I am not familer with firewall setting.
So I asking you more question here.If my server is only used
as POP3,SMTP,WWW server, and additionally terminal service.
I plan to set up Input Filter as following:
protocol: TCP(destination port: 25,110,80,3389)
TCP(established)
UDP(source port : 42)for dns
Is that OK? and NetBIOS will not exist,right?
>
> - option 3 : 'BETTER' solution : install Routing and RAS (included in
> windows 2k server) (minimum the routing part)
> To install routing and ras, launch 'Routing and Remote access' console
> manager from administrative tools
> Select your server, right clic it and select 'install/configure rras'
> Choose 'routing' only
> When it become installed and running, in the rras mmc console, go to
> 'General' in 'IP routing', you will see your connexions
> Right click the internet connexion
> In the 'General' tab you have two button : Input filters and Output =
> filters
> Select if you want 'allow all except' or 'deny all except' (it is here =
> the
> 'basic' functionnality, you just can't mix allow and deny, but if you =
> put
> good rules here, you have a perfect firewall at final setup!!)
>
> Even if i currently have a separate firewall running, i allway used =
> this
> feature to protect my exposed w2k systems (do you fully trust you =
> firewall ?
> is your firewall allways secure ? or don't have bugs ...)
>
> Francis
>
>
-
To unsubscribe from this list: send the line "unsubscribe xmail" in
the body of a message to [EMAIL PROTECTED]
For general help: send the line "help" in the body of a message to
[EMAIL PROTECTED]
-
To unsubscribe from this list: send the line "unsubscribe xmail" in
the body of a message to [EMAIL PROTECTED]
For general help: send the line "help" in the body of a message to
[EMAIL PROTECTED]
