How to secure Windows 2000 ICS?

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

When setting up Internet Connection Sharing in Windows 2000, how do I secure it by using the TCP/IP filtering? I noticed that certain UDP ports must be open in order to allow Internet access. Could someone tell me which port should be open? Or point me to some resources? Thanks.
 
I would avoid ICS if at all possible and use a cable/dsl NAT router. If you
can't then use a personal firewall on your ICS computer. Zone Alarm has a
free firewall that is adequate for such situations. IP filtering will not
give you near the protection that a firewall will. --- Steve


Frank said:
When setting up Internet Connection Sharing in Windows 2000, how do I
Click to expand...
secure it by using the TCP/IP filtering? I noticed that certain UDP ports
must be open in order to allow Internet access. Could someone tell me which
port should be open? Or point me to some resources? Thanks.
 
Thanks for the reply. I'll use a firewall.

Here is what I found. The UDP port 68 should be open for DHCP client. The only other ones are for DNS replies. However DNS requests are using different ports (usually 3000 and up). Although the replies are originated from port 53, the filter doesn't provide any way of filtering based on the remote port number, and it doesn't provide an easy way of opening a block of consecutive ports. I opened some 50 UDP ports (3000 through 3050) and was able to get IE to work for a while. It soon went above this range. Besides, I am guessing, firewalls not only open certain ports, but also check for validity of the data packets. Internet connection sharing on Windows 2000 is not very convenient after all.
 
That is the problem - return traffic to the randomly assigned above 1024
ports. Better firewalls [software and even some affordable under $100 NAT
devices such as the Netgear ProSafe series] use Stateful Packet Inspection
to determine if the inbound traffic is a response to traffic initated behind
the firewall and then dynamically open ports. ICS made sense in a point in
time when most people used dialup and NAT/firewall devices were not
affordable. --- Steve

Frank said:
Thanks for the reply. I'll use a firewall.

Here is what I found. The UDP port 68 should be open for DHCP client. The
Click to expand...
only other ones are for DNS replies. However DNS requests are using
different ports (usually 3000 and up). Although the replies are originated
from port 53, the filter doesn't provide any way of filtering based on the
remote port number, and it doesn't provide an easy way of opening a block of
consecutive ports. I opened some 50 UDP ports (3000 through 3050) and was
able to get IE to work for a while. It soon went above this range. Besides,
I am guessing, firewalls not only open certain ports, but also check for
validity of the data packets. Internet connection sharing on Windows 2000 is
not very convenient after all.
 
Back
Top