W2K TCP/IP Filtering

  • Thread starter Thread starter Steve
  • Start date Start date
S

Steve

I have a new w2k web server getting ready to go online,
and I'm having some problems with the tcp/ip filtering.
Following the guide at http://www.shebeen.com/w2k/ for
basic hardening, I've enabled TCP/IP filtering. Problem
is that it seems to break the connection to our DNS
servers (internet DNS servers with IPs specified in the
TCP/IP address properties). When I disable the TCP/IP
filtering, everything works as it should.

The settings are: TCP Permit only 22,80,443,3389
UDP permit only: 161,162
Protocols: 6,8

I know if I was running DNS on this machine, I'd need 53
open, but I'm not sure why the filtering is blocking name
resolution when connecting to an outside dns server.
 
It should not interfere with internet users accessing your website but my guess is
that you are trying to access the internet from that computer. I bet it you leave
tcp/ip filtering enabled but select permit all for just UDP it will work. The reason
is that tcp/ip filtering is somewhat stateful for TCP but not UDP in that for TCP it
knows that a return response was initiated from your computer and allows it in while
not for UDP which blocks return UDP packets from the ISP dns server with the name
resolution request. --- Steve
 
Open UDP ports 1023-1025. You server uses high udp ports to make th
DNS request to port 53 and needs them open to get the resopnse


-
posivib
 
actually 1023-1030 works better as it gives you a few more origin port
to work with


-
posivib
 
Back
Top