Tcp/IP filtering certainly has it's place but the following are some limitations.
-- It can only filter inbound traffic.
-- It is almost useless if you need dns name resolution as for udp IP filtering is
not "stateful" and will not allow the return dns traffic from an internet dns server
that was initiated by your computer. Since the return traffic for dns is on a
randomly assigned above 1024 unprivileged port, it is impractical to try to add
all those ports to the accepted list.
-- It does not block ICMP which means you still can be pinged from the internet and
subject to denial of service attacks.
Another alternative for W2K/XP Pro/W2003 computers is to use an ipsec policy to do
port filtering created with permit and deny rules. Such an ipsec policy can also
restrict traffic to only authorized outbound traffic. Ipsec policies also take effect
almost immediately after being assigned or unassigned, do not require a reboot, and
can be configured via Group Policy. --- Steve
http://www.securityfocus.com/infocus/1559 -- description of ipsec filtering.
InBan said:
i agree a firewall is the best option in almost all cases, however, if for any
reason you cannot use a firewall you can also 'Filter' ports, a funtion of a basic
firewall, on a network adapter using the advanced configuration options of the local
area network connection properties.
This is often usefull in a LAN where you want to close certain ports on certain
computers. Some firewalls perform more advanced features as well, depending on which
layers at which they operate. Basic firewalls perform just packet filtering based on
ports, destination or source ip address, mac address, etc. More advanced firewalls
are capable of performing application layer inspection of packets to determine their
nature and validity.
