4 stupid WINDOWS FIREWALL questions

G

Guest

Hello all,

I have 4 quick questions....

All relating to WINDOWS FIREWALL

1. I am currently using it on a Windows Server 2003 (we are progressing to a
hardware system - but, not quite their yet) - AM I CRAZY for doing that???

2. Within the pfirewall.log file: if my SERVER is NOT the dst-ip, then those
blocked packets were never intended to come to my server, correct? - were
they just BROADCAST packets, that were caught by my firewall?

3. the dst-port is the port that the packets were TRYING to access on my
server, correct?

4. In windows firewall, under CHANGE Scope - is MY NETWORK SUBNET, every
computer that matches my first 3 numbers??? of the server??? Example: my
server might be 24.26.123.48, but, we have a lot of DYNAMIC users using
24.10.*.* .. IN THE SAME BUILDING .... are they members of MY SUBNET .. or
only users that start with 24.26.123.*

thanks....
 
L

Leythos

Hello all,

I have 4 quick questions....

All relating to WINDOWS FIREWALL

1. I am currently using it on a Windows Server 2003 (we are progressing to a
hardware system - but, not quite their yet) - AM I CRAZY for doing that???

2. Within the pfirewall.log file: if my SERVER is NOT the dst-ip, then those
blocked packets were never intended to come to my server, correct? - were
they just BROADCAST packets, that were caught by my firewall?

3. the dst-port is the port that the packets were TRYING to access on my
server, correct?

4. In windows firewall, under CHANGE Scope - is MY NETWORK SUBNET, every
computer that matches my first 3 numbers??? of the server??? Example: my
server might be 24.26.123.48, but, we have a lot of DYNAMIC users using
24.10.*.* .. IN THE SAME BUILDING .... are they members of MY SUBNET .. or
only users that start with 24.26.123.*

If your server has a 24.x address then it's directly connected to a
public internet connection, this is BAD.

Why do your users have a 24.x address also?

Have you never read about NAT Routers? Even a cheap NAT device will
protect your server from the masses.

Anyone inside a company/building sharing resources, should NOT be using
PUBLIC IP's on their LAN, the very least you should be doing is setting
up a cheap NAT appliance to act as the first barrier device.

As for your subnet, you didn't tell us the MASK, so we can't tell if
they are in your subnet or not.
 
G

Guest

The IP address were 'fictional' .. we are at a university... so, we do have
UNIVESITY wide addresses... I am not as worried about the specifics of the IP
addresses as how the windows firewall controls the 'LOCAL SUBNET' in its
scope settings???

NAT routers are not an option due to our LARGE building and built in network
drops.. etc....

the subnet mask for all of our systems is 255.248.0.0

the 'fictional' SERVER IP is 38.88.8.6

some 'fictional' workstations are in the 38.88.8.* range

but other 'fictional' workstations are in a 38.10.*.* range
 
S

Steven L Umbach

The Windows Firewall is a good firewall if your needs are only to only block
inbound traffic that is not in response to traffic your server generated
knowingly or not to you. BUT any software/host firewall is subject to
failure by being disable by malware or software conflict which can be more
likely in a consumer computer. That may never happen to you or the majority
of users but is something to consider and why a hardware device needs to be
the first line of defense as you intend to do. So you can use the Windows
Firewall but check it's status and configuration regularly which can easily
be done with the command netsh firewall show state/config.

If your server is not the destination IP then it should not even process the
traffic other than broadcast or multicast. IP addresses ending in .255 are
broadcast traffic and those starting with 224-247 are multicast. The host
computers on your network are determined by the subnet mask. If your subnet
mast is 255.255.0.0 then the network is the first two octets and the hosts
are the last two octets. For 255.255.255.0 the network is the first three
octets and the hosts are the last octet. For 255.0.0.0 the network is the
first octet and the hosts are the last three octets. If you are using custom
subnet then you will have to calculate the range for the hosts. In your
example if the network is 24.0.0.0 with a subnet mask of 255.0.0.0 then yes
they are all on the same subnet which would be typical for a class A network
with default subnet mask.

Try pinging an IP or pinging your server from another computer. Doing that
and then reviewing the firewall log for evnets that happen at the time stamp
corresponding to those pings will give you a good idea on how what the
source/destination IPs are.

Steve
 
L

Leythos

The IP address were 'fictional' .. we are at a university... so, we do have
UNIVESITY wide addresses... I am not as worried about the specifics of the IP
addresses as how the windows firewall controls the 'LOCAL SUBNET' in its
scope settings???

NAT routers are not an option due to our LARGE building and built in network
drops.. etc....

the subnet mask for all of our systems is 255.248.0.0

the 'fictional' SERVER IP is 38.88.8.6

some 'fictional' workstations are in the 38.88.8.* range

but other 'fictional' workstations are in a 38.10.*.* range

Using your 38.88 and a mask of 255.240.0.0 (/13) you would have the
following subnets/networks:

Network From/Start TO/End Broadcast
38.0.0.0 38.0.0.1 38.7.255.254 38.7.255.255

38.8.0.0 38.8.0.1 38.15.255.254 38.15.255.255

38.16.0.0 38.16.0.1 38.23.255.254 38.23.255.255
38.24.0.0 38.24.0.1 38.31.255.254 38.31.255.255
38.32.0.0 38.32.0.1 38.39.255.254 38.39.255.255
38.40.0.0 38.40.0.1 38.47.255.254 38.47.255.255
38.48.0.0 38.48.0.1 38.55.255.254 38.55.255.255
38.56.0.0 38.56.0.1 38.63.255.254 38.63.255.255
38.64.0.0 38.64.0.1 38.71.255.254 38.71.255.255
38.72.0.0 38.72.0.1 38.79.255.254 38.79.255.255
38.80.0.0 38.80.0.1 38.87.255.254 38.87.255.255

38.88.0.0 38.88.0.1 38.95.255.254 38.95.255.255

38.96.0.0 38.96.0.1 38.103.255.254 38.103.255.255
38.104.0.0 38.104.0.1 38.111.255.254 38.111.255.255
38.112.0.0 38.112.0.1 38.119.255.254 38.119.255.255
38.120.0.0 38.120.0.1 38.127.255.254 38.127.255.255
38.128.0.0 38.128.0.1 38.135.255.254 38.135.255.255
38.136.0.0 38.136.0.1 38.143.255.254 38.143.255.255
38.144.0.0 38.144.0.1 38.151.255.254 38.151.255.255
38.152.0.0 38.152.0.1 38.159.255.254 38.159.255.255
38.160.0.0 38.160.0.1 38.167.255.254 38.167.255.255
38.168.0.0 38.168.0.1 38.175.255.254 38.175.255.255
38.176.0.0 38.176.0.1 38.183.255.254 38.183.255.255
38.184.0.0 38.184.0.1 38.191.255.254 38.191.255.255
38.192.0.0 38.192.0.1 38.199.255.254 38.199.255.255
38.200.0.0 38.200.0.1 38.207.255.254 38.207.255.255
38.208.0.0 38.208.0.1 38.215.255.254 38.215.255.255
38.216.0.0 38.216.0.1 38.223.255.254 38.223.255.255
38.224.0.0 38.224.0.1 38.231.255.254 38.231.255.255
38.232.0.0 38.232.0.1 38.239.255.254 38.239.255.255
38.240.0.0 38.240.0.1 38.247.255.254 38.247.255.255
38.248.0.0 38.248.0.1 38.255.255.254 38.255.255.255
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top