-----Original Message-----
The well known ports that you have allowed are the ports that a service is
listening on. For example, Telnet listens on TCP 23 and DNS on TCP 53 and
UDP 53. However, ephemeral ports (1024+) are used to send the requests. For
example, a DNS query going out from your machine may use a UDP destination
port of 53 but the UDP source port may be 1029. When the DNS server
responds back, it reverses the ports - meaning that the packet coming back
from DNS server will have a source port of UDP 53 but destination UDP port
is 1029. Since you are not allowing UDP port 1029 on your machine, the
packet gets dropped. Same thing goes for HTTP (Internet browsing) - your
machine will use a "random" TCP port above 1024 as the source port to send
the TCP packet.
So unless you are planning to open a bunch of ports, you will not be able
to do much from this server except host services that use well known ports
for incoming connections.
I'd suggest getting a firewall or proxy server that can do "stateful"
packet filtering instead. Or you can enable RRAS and use Input and Output
filters instead of TCP/IP filtering. I/O filters are not "stateful" but can
be configured to allow return traffic. An example would be these 2 filters
for allowing HTTP traffic: From Me to any, destination port TCP 80, src
port any for outbound traffic and from any to me, source port TCP 80, dest
port any. The first filter allows outgoing traffic to a webserver and the
second filter allows incoming traffic from a webserver.
----
Thanks,
Rakesh Chanana [MSFT]
When replying, please post to GROUP so that everyone can benefit from the
knowledge.
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
