TCP Port selection

[D Comeau]

Can I configure W2k to utilize a specific range of ports
(or even restrict the use of a range of ports)? We have
configured ACL's on our routers that restrict connections
to dest ports 3127 to 3198 in an attempt to reduce the
affects of the MyDoom worm. However, Windows randomly
uses ports to connect to systems. As an example, I open
my web browser to www.microsoft.com and I use TCP port
3127 as my source port, the packet goes out to
www.microsoft.com port 80, but the return packet does not
get through.

 

[Steven L Umbach]

I don't know of a way to do that [other than for rpc]. You should consider
using a stateful packet inspection firewall with a default block all
outbound rule and then configure just the exceptions for allowed
services/applications. A rule for internet access would have to allow return
traffic from any port, but only from traffic you intiated to port 80 tcp for
instance. It is the job of the firewall to track the "state" of the
connection so that uninitiated traffic from any other port or ip address is
not allowed in. --- Steve

http://www.netscreen.com/products/firewall/security/stateful_inspection.jsp

 

[Karl Levinson [x y] mvp]

For your ease of configuration, I would probably first recommend asking a
person or newsgroup that is expert in your router as to whether you have
correctly configured your router ACLs. For example, can you configure them
to block Syn packets with a destination port in that range? Or configure
your ACLs to only block traffic involving those ports where the source and
destination are both on your local network, and then let your firewall block
worm activity out to the Internet? Or allow traffic where one port is in
that range and the port on the other end is TCP 80 or other probably
acceptable values? Those might be ways you might block most if not all
MyDoom connections while allowing most if not all web browsing.

If you prefer, this article should let you do what you wish, reserve
"ephemeral" source ports in Windows 2000. Other such articles can be found
in Google:

http://www.jsiinc.com/SUBO/tip7000/rh7082.htm
http://www.google.com/search?hl=en&lr=&ie=UTF-8&oe=UTF-8&safe=off&q=windows+
registry+ephemeral+port

Might I also recommend a good enterprise antivirus solution that distributes
updates automatically.