Wich protocol numbers?

[damned]

Hi everyone,

My firewall let's me drop also packets based on their IPv4 protocol number
field.

Wich protocols (codes) should I drop in Windows 2000 Server permiting only
IP (0), ICMP (1), TCP (6) and UDP (17), this according to MS protocol file.

In other words, what protocol (codes) does Windows 2000 Server (and it's
subsystems) support? Totaly.

Is there any updated list?

Thank you,
damned

PS: Dropping the full list from iana.org would slow down the firewall, since
it's not protocol number ranged, beeing instead, sequencial.

 

[Paul Adare - MVP - Microsoft Virtual PC]

microsoft.public.win2000.security news group, "damned" <Reply to

PS: Dropping the full list from iana.org would slow down the firewall, since
it's not protocol number ranged, beeing instead, sequencial.

Then you need a new firewall, and you're approaching this from entirely
the wrong direction.

You should have a default DENY ALL rule first, and then only open up the
ports that you need.

 

[damned]

Paul,

Thank you for your advice, but this is a good kernel level firewall.

Of course, my first rule for all NICs is DROP ALL in all streams.

Drop/Deny All only applies to IP protocol (number 0) and its sub-protocols
on all NICs.

The rules I was refering to are relative to all NICs and regarding the
protocol numbers (other than IP).

In fact, I just need a list of supported protocols in Win2K.

Regards,
damned

 

[Keith W. McCammon]

In fact, I just need a list of supported protocols in Win2K.

It supports a lot. You can find the implementation details on TechNet.

 

[Keith W. McCammon]

Wich protocols (codes) should I drop in Windows 2000 Server permiting only

IP (0), ICMP (1), TCP (6) and UDP (17), this according to MS protocol

file.

You just said that you permit these protocols. Why are you asking what to
drop? Everything else should be dropped.

In other words, what protocol (codes) does Windows 2000 Server (and it's
subsystems) support? Totaly.

Huh? You're doing it backwards. If the protocols above are all that's
needed, then what's the issue? If you have an app that doesn't work, it
should be trivial to determine the protocol by looking at the logs.

 

[damned]

Keith,

This firewall works like this:

a) One can make statefull rules on IP (TCP, ICMP, UDP).
b) These rules are applied to all NICs for both in/out streams.
c) Also for both streams there's a "virtual NIC" that wraps all NICs in
the stream to make possible for global rules within the stream.

Since the last rule (case else analogy) for each NIC is "IP Drop All Any <->
Any" and the exclusions (permited) are prior to this rule, everithing is
working fine in IP!!! and IP ONLY!

To explicitly drop/deny packets of other protocols FOR ALL NICs within the
stream, these rules must be applied *globaly* (for optimization).


Regards,
damned

 

[Paul Adare - MVP - Microsoft Virtual PC]

microsoft.public.win2000.security news group, "damned" <Reply to

Since the last rule (case else analogy) for each NIC is "IP Drop All Any <->
Any" and the exclusions (permited) are prior to this rule, everithing is
working fine in IP!!! and IP ONLY!

To explicitly drop/deny packets of other protocols FOR ALL NICs within the
stream, these rules must be applied *globaly* (for optimization).

Either we've got a language barrier here, or you've got a fairly large
hole in your networking knowledge or both. If your firewall is already
handling the TCP/IP protocol, then what other protocols are you talking
about. Also might help if you'd identify the firewall you're referring
to here.

 

[Dusty Harper {MS}]

I believe that he is referring to other networking protocols such as IPX,
DEC Net, Banyan VINES etc. Normally a firewall is not needed for these
protocols because they are private to a corporation. In fact, I don't know
of any firewall that deals with these. In Windows 2000, the RRAS component
was capable of doing some IPX filtering, but nothing major. 99% of
firewalls are geared towards TCP/IP based networks, because that is where
the largest threat base lies.

If your firewall box isn't running the other protocols, then they will not
pass through regardless.

 

[damned]

Paul,

There are other protocols (protocol flag field) besides 0, 1, 6 and 17.

When you make rules to TCP/IP (in general) you make rules to packets where
this flag field has the mentioned values. This is one of the first IF
statement in any firewalling algorithm.

Now, what I want to do is to drop any other protocol packet (packet with
prot. field different from 0, 1, 6 and 17) on any NIC in any stream.
Globaly.

The firewall is Tiny/Kerio WinRoute Pro 4.2. If you look at their GUI HTML
help on applying rules you'll see what I mean.

Regards,
damned

 

[damned]

BINGO!

Thanks,
damned

PS: Take a look at the good old Tiny/Kerio WinRoute 4.2!

I believe that he is referring to other networking protocols such as IPX,
DEC Net, Banyan VINES etc. Normally a firewall is not needed for these
protocols because they are private to a corporation. In fact, I don't know
of any firewall that deals with these. In Windows 2000, the RRAS component
was capable of doing some IPX filtering, but nothing major. 99% of
firewalls are geared towards TCP/IP based networks, because that is where
the largest threat base lies.

If your firewall box isn't running the other protocols, then they will not
pass through regardless.

--
--
Dusty Harper
Microsoft Corporation
-------------------------------------------------------------------------- --
This posting is provided "AS IS", with NO warranties and confers NO rights
-------------------------------------------------------------------------- --

microsoft.public.win2000.security news group, "damned" <Reply to

Any

 

[Paul Adare - MVP - Microsoft Virtual PC]

microsoft.public.win2000.security news group, "damned" <Reply to

The firewall is Tiny/Kerio WinRoute Pro 4.2. If you look at their GUI HTML
help on applying rules you'll see what I mean.

I still don't have a clue what you're talking about, and I have looked
through the help. Please find a page that illustrates exactly what
you're talking about, right-click it, click Properties, and then post
the address to the page.

 

[damned]

http://www.tinysoftware.com

It's on their version 5.
Navigate to its download page and download the manual (.pdf).

4.2 is very different from this one.
I can't seem to find it anywhere, though.

Regards,
damned

 

[Paul Adare - MVP - Microsoft Virtual PC]

microsoft.public.win2000.security news group, "damned" <Reply to

4.2 is very different from this one.
I can't seem to find it anywhere, though.

Start here and then find a page that refers to the "protocol flags
field".

 

[damned]

Dusty,

Since one can not know all fw bypassing technics and how fws deal with them,
maybe then, for TCP/IP based firewalls one way to bypass them is for a
trojan to use a different protocol number flag encapsulated in IP?

Just wondering,
damned

I believe that he is referring to other networking protocols such as IPX,
DEC Net, Banyan VINES etc. Normally a firewall is not needed for these
protocols because they are private to a corporation. In fact, I don't know
of any firewall that deals with these. In Windows 2000, the RRAS component
was capable of doing some IPX filtering, but nothing major. 99% of
firewalls are geared towards TCP/IP based networks, because that is where
the largest threat base lies.

If your firewall box isn't running the other protocols, then they will not
pass through regardless.

--
--
Dusty Harper
Microsoft Corporation
-------------------------------------------------------------------------- --
This posting is provided "AS IS", with NO warranties and confers NO rights
-------------------------------------------------------------------------- --

microsoft.public.win2000.security news group, "damned" <Reply to

Any

 

[damned]

Better yet Paul,

You start here http://www.iana.org/assignments/protocol-numbers

And also: RFC791

Regards,
damned

 

[Keith W. McCammon]

Since one can not know all fw bypassing technics and how fws deal with
them,

maybe then, for TCP/IP based firewalls one way to bypass them is for a
trojan to use a different protocol number flag encapsulated in IP?

You misunderstand IP. If some other protocol is encapsulated within an IP
datagram, it's still and IP packet, and you still filter based on the IP
protocol identifier.

 

[Keith W. McCammon]

There are other protocols (protocol flag field) besides 0, 1, 6 and 17.

We all know that.

When you make rules to TCP/IP (in general) you make rules to packets where
this flag field has the mentioned values. This is one of the first IF
statement in any firewalling algorithm.

Again, we knew that. I don't get the point of your thread.

Now, what I want to do is to drop any other protocol packet (packet with
prot. field different from 0, 1, 6 and 17) on any NIC in any stream.
Globaly.

This is why I don't understand what you want from us. Firewalls do this by
design. If you're not permitting it, it's dropped. We're beating a dead
horse here.