Francis,Thank you. I just had a vacation and just be back today. So I read your mail today. I feel very valueable. I will practice as you guide.
Best regards, Jhon. ----- Original Message ----- From: "CLEMENT Francis" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, September 30, 2003 3:08 PM Subject: [xmail] W2K Filters settings (was Re: question about RDNS) > > jhon > > Your table is good except for dns what use port 53 > > The final table have to look like this (formatted here as a batch using > netsh cmd line for easy to update and reapply) > here some variables need to be defined at start of the batch : > MyIf = the name of your internet connexion in rras (as you name it) > MyIp = your computer ip > MyMk = you computer mask > > Symbol '->' used here to indicate a single line continuation > So delete it and the > > (work based on a Microsoft article on filtering/securing servers) > > --------------------------- > > set local > set MyIf = "Internet" > set MyIp = "1.2.3.4" > set MyMk = "255.255.255.255" > > :// drop all packets except for those matching defined input filters > netsh routing ip set filter name="%MyIf%" filtertype=INPUT action=DROP > > : Rules for MyIp as a Internet client > > :// enable dns lookup requests from MyIp to Any and responses to MyIp from > Any > netsh routing ip add filter name="%MyIf%" filtertype=INPUT -> > srcaddr=%MyIp% srcmask=%MyMk% dstaddr=0.0.0.0 dstmask=0.0.0.0 -> > proto=UDP srcport=0 dstport=53 > netsh routing ip add filter name="%MyIf%" filtertype=INPUT -> > srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=%MyIp% dstmask=%MyMk% -> > proto=UDP srcport=53 dstport=0 > > :// enable dns server referral requests from MyIp to Any and responses to > MyIp from Any > netsh routing ip add filter name="%MyIf%" filtertype=INPUT -> > srcaddr=%MyIp% srcmask=%MyMk% dstaddr=0.0.0.0 dstmask=0.0.0.0 -> > proto=TCP srcport=0 dstport=53 > netsh routing ip add filter name="%MyIf%" filtertype=INPUT -> > srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=%MyIp% dstmask=%MyMk% -> > proto=TCP-EST srcport=53 dstport=0 > > : Rules for MyIp as a Internet Server (http, smtp, pop3 and ts) > > :// enable http requests from Any to MyIp > netsh routing ip add filter name="%MyIf%" filtertype=INPUT -> > srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=%MyIp% dstmask=%MyMk% -> > proto=TCP srcport=0 dstport=80 > netsh routing ip add filter name="%MyIf%" filtertype=INPUT -> > srcaddr=%MyIp% srcmask=%MyMk% dstaddr=0.0.0.0 dstmask=0.0.0.0 -> > proto=TCP-EST srcport=80 dstport=0 > > :// enable smtp requests from Any to MyIp > netsh routing ip add filter name="%MyIf%" filtertype=INPUT -> > srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=%MyIp% dstmask=%MyMk% -> > proto=TCP srcport=0 dstport=25 > netsh routing ip add filter name="%MyIf%" filtertype=INPUT -> > srcaddr=%MyIp% srcmask=%MyMk% dstaddr=0.0.0.0 dstmask=0.0.0.0 -> > proto=TCP-EST srcport=25 dstport=0 > > :// enable pop3 requests from Any to sPop3Addr > netsh routing ip add filter name="%MyIf%" filtertype=INPUT -> > srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=%MyIp% dstmask=%MyMk% -> > proto=TCP srcport=0 dstport=110 > netsh routing ip add filter name="%MyIf%" filtertype=INPUT -> > srcaddr=%MyIp% srcmask=%MyMk% dstaddr=0.0.0.0 dstmask=0.0.0.0 -> > proto=TCP-EST srcport=110 dstport=0 > > :// enable terminal server requests from Any to MyIp > netsh routing ip add filter name="%MyIf%" filtertype=INPUT -> > srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=%MyIp% dstmask=%MyMk% -> > proto=TCP srcport=0 dstport=3389 > netsh routing ip add filter name="%MyIf%" filtertype=INPUT -> > srcaddr=%MyIp% srcmask=%MyMk% dstaddr=0.0.0.0 dstmask=0.0.0.0 -> > proto=TCP-EST srcport=3389 dstport=0 > > end local > > --------------------------- > > > Note that last rule can be more restrictive as : > :// enable terminal server requests from A SPECIFIC IP (here say 2.3.4.5) > to MyIp > netsh routing ip add filter name="%MyIf%" filtertype=INPUT srcaddr=2.3.4.5 > srcmask=255.255.255.255 dstaddr=%MyIp% dstmask=%MyMk% proto=TCP srcport=0 > dstport=3389 > netsh routing ip add filter name="%MyIf%" filtertype=INPUT srcaddr=%MyIp% > srcmask=%MyMk% dstaddr=2.3.4.5 dstmask=255.255.255.255 proto=TCP-EST > srcport=3389 dstport=0 > > to enable only 2.3.4.5/255.255.255.255 to access your server via termserver > Or use more than on similar rules for multiples 'admin ips', that can be > subnets (ie one admin at 2.3.4.5/255.255.255.255 and all admins from > 3.4.5.0/255.255.255.192, and so on) > > Francis > > -----Message d'origine----- > De : jhon wong [mailto:[EMAIL PROTECTED] > Envoyé : samedi 27 septembre 2003 04:12 > À : [EMAIL PROTECTED] > Objet : [xmail] Re: question about RDNS > > > Francis, > Thanks for your guide. I am not familer with firewall setting. > So I asking you more question here.If my server is only used > as POP3,SMTP,WWW server, and additionally terminal service. > I plan to set up Input Filter as following: > protocol: TCP(destination port: 25,110,80,3389) > TCP(established) > UDP(source port : 42)for dns > > Is that OK? and NetBIOS will not exist,right? > > > > > > - option 3 : 'BETTER' solution : install Routing and RAS (included in > > windows 2k server) (minimum the routing part) > > To install routing and ras, launch 'Routing and Remote access' console > > manager from administrative tools > > Select your server, right clic it and select 'install/configure rras' > > Choose 'routing' only > > When it become installed and running, in the rras mmc console, go to > > 'General' in 'IP routing', you will see your connexions > > Right click the internet connexion > > In the 'General' tab you have two button : Input filters and Output = > > filters > > Select if you want 'allow all except' or 'deny all except' (it is here = > > the > > 'basic' functionnality, you just can't mix allow and deny, but if you = > > put > > good rules here, you have a perfect firewall at final setup!!) > > > > Even if i currently have a separate firewall running, i allway used = > > this > > feature to protect my exposed w2k systems (do you fully trust you = > > firewall ? > > is your firewall allways secure ? or don't have bugs ...) > > > > Francis > > > > > > > > - > To unsubscribe from this list: send the line "unsubscribe xmail" in > the body of a message to [EMAIL PROTECTED] > For general help: send the line "help" in the body of a message to > [EMAIL PROTECTED] > - > To unsubscribe from this list: send the line "unsubscribe xmail" in > the body of a message to [EMAIL PROTECTED] > For general help: send the line "help" in the body of a message to > [EMAIL PROTECTED] > > - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]
