W2K TCP/IP Filtering

[Steve]

I have a new w2k web server getting ready to go online,
and I'm having some problems with the tcp/ip filtering.
Following the guide at http://www.shebeen.com/w2k/ for
basic hardening, I've enabled TCP/IP filtering. Problem
is that it seems to break the connection to our DNS
servers (internet DNS servers with IPs specified in the
TCP/IP address properties). When I disable the TCP/IP
filtering, everything works as it should.

The settings are: TCP Permit only 22,80,443,3389
UDP permit only: 161,162
Protocols: 6,8

I know if I was running DNS on this machine, I'd need 53
open, but I'm not sure why the filtering is blocking name
resolution when connecting to an outside dns server.

 

[Steven L Umbach]

It should not interfere with internet users accessing your website but my guess is
that you are trying to access the internet from that computer. I bet it you leave
tcp/ip filtering enabled but select permit all for just UDP it will work. The reason
is that tcp/ip filtering is somewhat stateful for TCP but not UDP in that for TCP it
knows that a return response was initiated from your computer and allows it in while
not for UDP which blocks return UDP packets from the ISP dns server with the name
resolution request. --- Steve

 

[posivibe]

Open UDP ports 1023-1025. You server uses high udp ports to make th
DNS request to port 53 and needs them open to get the resopnse


-
posivib

 

[posivibe]

actually 1023-1030 works better as it gives you a few more origin port
to work with


-
posivib