Filter rule for web access

  • Thread starter Thread starter patrick
  • Start date Start date
P

patrick

Greetings! I hope I can get some help on the filter rules.

I have set up a w2k machine as a VPN server. I noticed that if I don't
set any filter rule on the interfaces, everthing works fine. However,
if I keep the default rules (i.e., deny all except Protocol 47, TCP
1723, UDP 500, UDP 1701) on the input and output filters, I am not able
to ping or browse the web.

What I have found out is that by allowing UDP 53, I can ping IPs and
URLs. But I am still not able to browse the web. I have tried opening
many different UDP ports without success. I have even opened all the
TCP ports, but as long as I restrict UDP to 500 and 1701, I am not able
to browse the web. Does anyone know which UDP port (or protocol) I need
to allow in order to access the web?

Thanks & Regards,
Patrick
 
To access web, you need to open TCP port 80 (HTTP), TCP port 443 (HTTPS) and
UDP port 53 (DNS).
 
Hi SAMIRJ,

Thanks for your reply. Opening the TCP ports 80 and 443 helped.
However, I still have to keep all the UDP ports open because if I open
only UDP 500, 1701 and 53, I cannot browse anymore. Any idea why?

Regards,
Patrick
 
When you say "cannot browse" - can you explain more or given an example.
My understand of web browsing you want to use IE and try to access some web
site - like www.microsoft.com. And that should have worked by opening DNS
and HTTP/HTTPS ports.
Please clarify your setup and your requirement further
 
Hi SAMIRJ,

Thanks for replying. Yes, by browsing I mean using the web browser to
access web sites. Here are the two scenarios (the one that works and
the one that doesn't):

Scenario 1
---------------
Input and Output Filters set to allow these access. With these
settings, I am able to ping external sites and browse web sites (e.g.,
yahoo.com)

Port 47
TCP 1723
TCP 80
TCP 443
ICMP Any
UDP Any


Scenario 2
---------------
Input and Output Filters set to allow these access. With these
settings, I can neither ping any external site nor browse any web
sites.

Port 47
TCP 1723
TCP 80
TCP 443
ICMP Any
UDP 53
UDP 80
UDP 443

The only difference between Scenario 1 & 2 is that S1 has all UDP ports
opened, while S2 only allows 53, 80, and 443. So, it seems like some
other UDP ports must be opened in addition to 53, 80, and 443.

Best Regards,
Patrick
 
Back
Top