W2K Server TCP/IP Filtering - what ports to leave open

  • Thread starter Thread starter George Mizzell
  • Start date Start date
G

George Mizzell

In light of all the recent flurry of activity I was wondering why not enable
TCP/IP filtering and allow only TCP port 80 and the FTP port and email port
to get through the adapter? Also, what UDP ports would be necessary to
leave open?

I know the first question is "what are you using it for?" This is my basic
server that simply functions as a network server for my home network. It
hosts a few shared folders and a private network on the second ethernet card
and the first one is a static IP directly connected to the ISP. I may allow
from time to time some files to be accessed from my website that is hosted
remotely by a specialized web hosting company and I do all of my web design
locally and upload through ftp using dreamweaver to the main website. We
have about 6 pcs attached to the network and all family users with kids who
love the instant message service. Based on this info what TCP and UDP ports
would I need to leave open.

Thanks
George Mizzell
 
Hi George. Ip filtering filters inbound traffic only by port number and is most
suitable for dedicated servers. You would be far better served with a SPI firewall
like the one Netgear sells for around $75. It can fend off a lot of attacks "at the
gate" . Common ports for internet access to servers - ftp 20 and 21, http 80, https
443, smtp 25, pop 110, nntp 119, dns 53 udp [tcp zone transfers]. --- Steve
 
Steve

Thanks - those are the main ones I knew about. I was thinking that I could
set the IP filtering to only accept these ports (except the DNS - I don't do
any zone transfers with my ISP). I already have a neat firewall - Black Ice
which blocks based on IP addresses and based on what it thinks is an Attack.
However, it was not stopping ports 135, 137-139 or 443 and so I was getting
some pesky outfits who were annoying me with ads through port 135 telling me
to by their software and it would stop them from being jerks. (Like that
marketing technique is going to work).

I just know that if I block everything except those ports and then something
doesn't work, I won't know it nor will I know what port it was associated
with. I am only concerned with incoming traffic - all outbound traffic will
be from me or my kids so I am not worrying about them.

Thanks
George


Steven L Umbach said:
Hi George. Ip filtering filters inbound traffic only by port number and is most
suitable for dedicated servers. You would be far better served with a SPI firewall
like the one Netgear sells for around $75. It can fend off a lot of attacks "at the
gate" . Common ports for internet access to servers - ftp 20 and 21, http 80, https
443, smtp 25, pop 110, nntp 119, dns 53 udp [tcp zone transfers]. --- Steve




George Mizzell said:
In light of all the recent flurry of activity I was wondering why not enable
TCP/IP filtering and allow only TCP port 80 and the FTP port and email port
to get through the adapter? Also, what UDP ports would be necessary to
leave open?

I know the first question is "what are you using it for?" This is my basic
server that simply functions as a network server for my home network. It
hosts a few shared folders and a private network on the second ethernet card
and the first one is a static IP directly connected to the ISP. I may allow
from time to time some files to be accessed from my website that is hosted
remotely by a specialized web hosting company and I do all of my web design
locally and upload through ftp using dreamweaver to the main website. We
have about 6 pcs attached to the network and all family users with kids who
love the instant message service. Based on this info what TCP and UDP ports
would I need to leave open.

Thanks
George Mizzell
 
Steve

That is a great idea - I had not thought about the file and print services
on the NIC. You just can't seem to think of everything. I will take care
of that and test it and see how it works. I know Black Ice will handle
their part - I just view the filtering as adding another layer of
complexity. Thanks again.

George


Steven L Umbach said:
Actually those ports I listed are what you may need for outbound access, not
inbound. For instance ip filtering port 80 would make sense if you had a web server
on your computer, but not for accessing the internet from your web browsers. In your
situation, I believe you could block all inbound access and Black Ice would open
proper inbound ports for return trips from web sites, etc dynamically and close them
when the session is done by tracking the "state" of the connection. The personal
firewalls like Black Ice, have settings for "trusted networks" which would be your
lan of home computers. Configure it to allow file and print sharing for the trusted
network only [usually 192.168.xxx.xxx network range]. You can also should
disable/uninstall file and print sharing on the nic connected to the internet. ---
Steve

George Mizzell said:
Steve

Thanks - those are the main ones I knew about. I was thinking that I could
set the IP filtering to only accept these ports (except the DNS - I don't do
any zone transfers with my ISP). I already have a neat firewall - Black Ice
which blocks based on IP addresses and based on what it thinks is an Attack.
However, it was not stopping ports 135, 137-139 or 443 and so I was getting
some pesky outfits who were annoying me with ads through port 135 telling me
to by their software and it would stop them from being jerks. (Like that
marketing technique is going to work).

I just know that if I block everything except those ports and then something
doesn't work, I won't know it nor will I know what port it was associated
with. I am only concerned with incoming traffic - all outbound traffic will
be from me or my kids so I am not worrying about them.

Thanks
George


Steven L Umbach said:
Hi George. Ip filtering filters inbound traffic only by port number
and is
most
suitable for dedicated servers. You would be far better served with a
SPI
firewall
like the one Netgear sells for around $75. It can fend off a lot of attacks "at the
gate" . Common ports for internet access to servers - ftp 20 and 21,
http
80, https
443, smtp 25, pop 110, nntp 119, dns 53 udp [tcp zone
ansfers]. ---
Steve
In light of all the recent flurry of activity I was wondering why
not
enable
TCP/IP filtering and allow only TCP port 80 and the FTP port and
email
port
to get through the adapter? Also, what UDP ports would be necessary to
leave open?

I know the first question is "what are you using it for?" This is
my
basic
server that simply functions as a network server for my home
network.
It
hosts a few shared folders and a private network on the second
ethernet
card
and the first one is a static IP directly connected to the ISP. I
may
allow
from time to time some files to be accessed from my website that is hosted
remotely by a specialized web hosting company and I do all of my web design
locally and upload through ftp using dreamweaver to the main
website.
We
have about 6 pcs attached to the network and all family users with
kids
who
love the instant message service. Based on this info what TCP and
UDP
ports
would I need to leave open.

Thanks
George Mizzell
 
This is my question in a more complex guise. We just need
to block a couple of ports according to the instructions
but the filter doesn't let us do that directly.
 
Colin

As I understand this filtering in W2K server - it only works to either
accept ONLY or reject ONLY and does not specifically block selected ports.
As I recall its intent is pertaining to web servers and instead of needing a
firewall you can allow ONLY port 80 traffic or an exchange server can ONLY
allow port 25. For selecting a couple of ports to block you need a firewall
program.

Hope this helps a little
George
 
You don't have to know all the ports that cause the problem. Whatever one
uses, firewall or ipsec filtering, the best approach to take is to create a default
"deny all" rule for inbound access and then create exceptions to the rule. For an
average user, there will not be any open inbound access ports. The firewall then will
open outbound ports for approved applications/protocols and only allow traffic back
in in response to the initiated connection by tracking the state of the
onnection. --- Steve

Csaba2000 said:
I don't know how similar Win 2K Pro is to W2K Server, but if they are, then you can
accomplish the filtering that you
want via Control Panel/Administrative Tools/Local Security Policy/IP Security
Policies on Local Machine (IP Sec).
Here you would have to create a "policy" which would be a combination of Filters,
which in turn is a combination of
Filter Rules grouped with a filter (e.g. Block or Permit). For Blaster, I have used a filter that blocks the
particular ports that it uses together with a default filter that lets remaining IP
traffic through according to the
default scheme.

See my earlier post in this newsgroup entitled "Win 2K Pro Service Pack 1 and
Blaster" for some additional info.
Notice, however, that the different companies are at odds over which ports are used
for the attack. This, of course,
begs the question of how thoroughly was the virus reviewed by the individual
companies and the concomitant question
of how effective is the patch for future variants? I have not installed the patch
but by blocking the union of all
 
Back
Top