FIREWALL Settings

  • Thread starter Thread starter Bucrepus
  • Start date Start date
B

Bucrepus

I have a 2003 svr with 2 NICS NAT on the public interface (172.18.6.0)to a
gateway (and other machines) . Private interface (192.168.0.0). Everthing
works fine, I have internet access and can browse to the other workstations
on that NIC interface from the 192.168.0.0 network machines. I need to stop
the ability to contact the 172.18.6.0 machines but still allow WWW traffic.
I blocked 137,138,139,445 on the 172.18.6.0 INBOUND FILTER and that works
except they can manually type the IP address of the 172 machine and it still
contacts it, it just blocks contact by name?. How to fix? I still need them
to be able to access files on the RRAS server, just not through the 172
network. Thanks..
BUC
 
Just unbind Microsoft Networking and File/Print Sharing on the 172.18.6.x
interface. The only binding should be TCP/IP, ..nothing else. The Packet
Filters probably won't mean much, but you can use them if you want. The
172.18.x.x address block is also a non-routable private address block (not
accessable from the internet) so there is obviously some kind of
"firewall/NAT" device between it and the Internet anyway,..so to a certain
extent you are worried for nothing anyway.
 
Thanks for the response but that didn't work. I am trying to to let the
clients off the 192 NIC access the internet and browse the Win2003 svr
shares ONLY. I don't want them to be able to get out the 172 NIC on the W2k3
svr to other machines on the 172 network, just get internet access through
the 172 network where the def gateway is 172.18.6.1. I unbound the
FILE/PRINT and CLIENT FOR MS but they were still able to access a machine
with IP address 172.18.6.4 on the 172 network. Any ideas? The public NAT
interface is on the w2k3 svr with NICS 172.18.6.50 and private NIC
192.168.0.50. Essentially 192 network is a bunch of 'alien' machines that
can read its local w2k3 server shares and get Internet, but cant get onto
the 172 network to other wrkstations or servers on that address.
THanks

Phillip Windell said:
Just unbind Microsoft Networking and File/Print Sharing on the 172.18.6.x
interface. The only binding should be TCP/IP, ..nothing else. The Packet
Filters probably won't mean much, but you can use them if you want. The
172.18.x.x address block is also a non-routable private address block (not
accessable from the internet) so there is obviously some kind of
"firewall/NAT" device between it and the Internet anyway,..so to a certain
extent you are worried for nothing anyway.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

Bucrepus said:
I have a 2003 svr with 2 NICS NAT on the public interface (172.18.6.0)to a
gateway (and other machines) . Private interface (192.168.0.0). Everthing
works fine, I have internet access and can browse to the other workstations
on that NIC interface from the 192.168.0.0 network machines. I need to stop
the ability to contact the 172.18.6.0 machines but still allow WWW traffic.
I blocked 137,138,139,445 on the 172.18.6.0 INBOUND FILTER and that works
except they can manually type the IP address of the 172 machine and it still
contacts it, it just blocks contact by name?. How to fix? I still need them
to be able to access files on the RRAS server, just not through the 172
network. Thanks..
BUC
Click to expand...
Click to expand...
 
Bucrepus said:
Thanks for the response but that didn't work. I am trying to to let the
clients off the 192 NIC access the internet and browse the Win2003 svr
shares ONLY. I don't want them to be able to get out the 172 NIC on the W2k3
svr to other machines on the 172 network, just get internet access through
the 172 network where the def gateway is 172.18.6.1. I unbound the
FILE/PRINT and CLIENT FOR MS but they were still able to access a machine
with IP address 172.18.6.4 on the 172 network. Any ideas? The public NAT
Click to expand...

Define "access" in your context. Being able to ping a machine is not
"access". I can ping most of my internet provider's equipment from where I
sit, but that doesn't mean I have access to them. According to your
description, the users have to get out the 172 interface to get to the
Internet, it's just that simple. "Access" is controlled by the OS's NTFS
File System Permissions and other "access" is controlled by whatever
individual service they attempt to connect to, for example, access to a
website is controlled by the web service (plus NTFS Permissions), and SQL
database access is controlled by the SQL Service.

The point is that there is a lot more to this than just playing with Nics,
packet filters, and IP#s.
 
Back
Top