jhon Your table is good except for dns what use port 53
The final table have to look like this (formatted here as a batch using netsh cmd line for easy to update and reapply) here some variables need to be defined at start of the batch : MyIf = the name of your internet connexion in rras (as you name it) MyIp = your computer ip MyMk = you computer mask Symbol '->' used here to indicate a single line continuation So delete it and the (work based on a Microsoft article on filtering/securing servers) --------------------------- set local set MyIf = "Internet" set MyIp = "1.2.3.4" set MyMk = "255.255.255.255" :// drop all packets except for those matching defined input filters netsh routing ip set filter name="%MyIf%" filtertype=INPUT action=DROP : Rules for MyIp as a Internet client :// enable dns lookup requests from MyIp to Any and responses to MyIp from Any netsh routing ip add filter name="%MyIf%" filtertype=INPUT -> srcaddr=%MyIp% srcmask=%MyMk% dstaddr=0.0.0.0 dstmask=0.0.0.0 -> proto=UDP srcport=0 dstport=53 netsh routing ip add filter name="%MyIf%" filtertype=INPUT -> srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=%MyIp% dstmask=%MyMk% -> proto=UDP srcport=53 dstport=0 :// enable dns server referral requests from MyIp to Any and responses to MyIp from Any netsh routing ip add filter name="%MyIf%" filtertype=INPUT -> srcaddr=%MyIp% srcmask=%MyMk% dstaddr=0.0.0.0 dstmask=0.0.0.0 -> proto=TCP srcport=0 dstport=53 netsh routing ip add filter name="%MyIf%" filtertype=INPUT -> srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=%MyIp% dstmask=%MyMk% -> proto=TCP-EST srcport=53 dstport=0 : Rules for MyIp as a Internet Server (http, smtp, pop3 and ts) :// enable http requests from Any to MyIp netsh routing ip add filter name="%MyIf%" filtertype=INPUT -> srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=%MyIp% dstmask=%MyMk% -> proto=TCP srcport=0 dstport=80 netsh routing ip add filter name="%MyIf%" filtertype=INPUT -> srcaddr=%MyIp% srcmask=%MyMk% dstaddr=0.0.0.0 dstmask=0.0.0.0 -> proto=TCP-EST srcport=80 dstport=0 :// enable smtp requests from Any to MyIp netsh routing ip add filter name="%MyIf%" filtertype=INPUT -> srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=%MyIp% dstmask=%MyMk% -> proto=TCP srcport=0 dstport=25 netsh routing ip add filter name="%MyIf%" filtertype=INPUT -> srcaddr=%MyIp% srcmask=%MyMk% dstaddr=0.0.0.0 dstmask=0.0.0.0 -> proto=TCP-EST srcport=25 dstport=0 :// enable pop3 requests from Any to sPop3Addr netsh routing ip add filter name="%MyIf%" filtertype=INPUT -> srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=%MyIp% dstmask=%MyMk% -> proto=TCP srcport=0 dstport=110 netsh routing ip add filter name="%MyIf%" filtertype=INPUT -> srcaddr=%MyIp% srcmask=%MyMk% dstaddr=0.0.0.0 dstmask=0.0.0.0 -> proto=TCP-EST srcport=110 dstport=0 :// enable terminal server requests from Any to MyIp netsh routing ip add filter name="%MyIf%" filtertype=INPUT -> srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=%MyIp% dstmask=%MyMk% -> proto=TCP srcport=0 dstport=3389 netsh routing ip add filter name="%MyIf%" filtertype=INPUT -> srcaddr=%MyIp% srcmask=%MyMk% dstaddr=0.0.0.0 dstmask=0.0.0.0 -> proto=TCP-EST srcport=3389 dstport=0 end local --------------------------- Note that last rule can be more restrictive as : :// enable terminal server requests from A SPECIFIC IP (here say 2.3.4.5) to MyIp netsh routing ip add filter name="%MyIf%" filtertype=INPUT srcaddr=2.3.4.5 srcmask=255.255.255.255 dstaddr=%MyIp% dstmask=%MyMk% proto=TCP srcport=0 dstport=3389 netsh routing ip add filter name="%MyIf%" filtertype=INPUT srcaddr=%MyIp% srcmask=%MyMk% dstaddr=2.3.4.5 dstmask=255.255.255.255 proto=TCP-EST srcport=3389 dstport=0 to enable only 2.3.4.5/255.255.255.255 to access your server via termserver Or use more than on similar rules for multiples 'admin ips', that can be subnets (ie one admin at 2.3.4.5/255.255.255.255 and all admins from 3.4.5.0/255.255.255.192, and so on) Francis -----Message d'origine----- De : jhon wong [mailto:[EMAIL PROTECTED] Envoyé : samedi 27 septembre 2003 04:12 À : [EMAIL PROTECTED] Objet : [xmail] Re: question about RDNS Francis, Thanks for your guide. I am not familer with firewall setting. So I asking you more question here.If my server is only used as POP3,SMTP,WWW server, and additionally terminal service. I plan to set up Input Filter as following: protocol: TCP(destination port: 25,110,80,3389) TCP(established) UDP(source port : 42)for dns Is that OK? and NetBIOS will not exist,right? > > - option 3 : 'BETTER' solution : install Routing and RAS (included in > windows 2k server) (minimum the routing part) > To install routing and ras, launch 'Routing and Remote access' console > manager from administrative tools > Select your server, right clic it and select 'install/configure rras' > Choose 'routing' only > When it become installed and running, in the rras mmc console, go to > 'General' in 'IP routing', you will see your connexions > Right click the internet connexion > In the 'General' tab you have two button : Input filters and Output = > filters > Select if you want 'allow all except' or 'deny all except' (it is here = > the > 'basic' functionnality, you just can't mix allow and deny, but if you = > put > good rules here, you have a perfect firewall at final setup!!) > > Even if i currently have a separate firewall running, i allway used = > this > feature to protect my exposed w2k systems (do you fully trust you = > firewall ? > is your firewall allways secure ? or don't have bugs ...) > > Francis > > - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED] - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]