W2K Server TCP/IP Filtering - what ports to leave open

[George Mizzell]

In light of all the recent flurry of activity I was wondering why not enable
TCP/IP filtering and allow only TCP port 80 and the FTP port and email port
to get through the adapter? Also, what UDP ports would be necessary to
leave open?

I know the first question is "what are you using it for?" This is my basic
server that simply functions as a network server for my home network. It
hosts a few shared folders and a private network on the second ethernet card
and the first one is a static IP directly connected to the ISP. I may allow
from time to time some files to be accessed from my website that is hosted
remotely by a specialized web hosting company and I do all of my web design
locally and upload through ftp using dreamweaver to the main website. We
have about 6 pcs attached to the network and all family users with kids who
love the instant message service. Based on this info what TCP and UDP ports
would I need to leave open.

Thanks
George Mizzell

 

[Steven L Umbach]

Hi George. Ip filtering filters inbound traffic only by port number and is most
suitable for dedicated servers. You would be far better served with a SPI firewall
like the one Netgear sells for around $75. It can fend off a lot of attacks "at the
gate" . Common ports for internet access to servers - ftp 20 and 21, http 80, https
443, smtp 25, pop 110, nntp 119, dns 53 udp [tcp zone transfers]. --- Steve

 

[George Mizzell]

Steve

Thanks - those are the main ones I knew about. I was thinking that I could
set the IP filtering to only accept these ports (except the DNS - I don't do
any zone transfers with my ISP). I already have a neat firewall - Black Ice
which blocks based on IP addresses and based on what it thinks is an Attack.
However, it was not stopping ports 135, 137-139 or 443 and so I was getting
some pesky outfits who were annoying me with ads through port 135 telling me
to by their software and it would stop them from being jerks. (Like that
marketing technique is going to work).

I just know that if I block everything except those ports and then something
doesn't work, I won't know it nor will I know what port it was associated
with. I am only concerned with incoming traffic - all outbound traffic will
be from me or my kids so I am not worrying about them.

Thanks
George

Hi George. Ip filtering filters inbound traffic only by port number and is most
suitable for dedicated servers. You would be far better served with a SPI firewall
like the one Netgear sells for around $75. It can fend off a lot of attacks "at the
gate" . Common ports for internet access to servers - ftp 20 and 21, http 80, https
443, smtp 25, pop 110, nntp 119, dns 53 udp [tcp zone transfers]. --- Steve

In light of all the recent flurry of activity I was wondering why not enable
TCP/IP filtering and allow only TCP port 80 and the FTP port and email port
to get through the adapter? Also, what UDP ports would be necessary to
leave open?

I know the first question is "what are you using it for?" This is my basic
server that simply functions as a network server for my home network. It
hosts a few shared folders and a private network on the second ethernet card
and the first one is a static IP directly connected to the ISP. I may allow
from time to time some files to be accessed from my website that is hosted
remotely by a specialized web hosting company and I do all of my web design
locally and upload through ftp using dreamweaver to the main website. We
have about 6 pcs attached to the network and all family users with kids who
love the instant message service. Based on this info what TCP and UDP ports
would I need to leave open.

Thanks
George Mizzell

 

[George Mizzell]

Steve

That is a great idea - I had not thought about the file and print services
on the NIC. You just can't seem to think of everything. I will take care
of that and test it and see how it works. I know Black Ice will handle
their part - I just view the filtering as adding another layer of
complexity. Thanks again.

George

Actually those ports I listed are what you may need for outbound access, not
inbound. For instance ip filtering port 80 would make sense if you had a web server
on your computer, but not for accessing the internet from your web browsers. In your
situation, I believe you could block all inbound access and Black Ice would open
proper inbound ports for return trips from web sites, etc dynamically and close them
when the session is done by tracking the "state" of the connection. The personal
firewalls like Black Ice, have settings for "trusted networks" which would be your
lan of home computers. Configure it to allow file and print sharing for the trusted
network only [usually 192.168.xxx.xxx network range]. You can also should
disable/uninstall file and print sharing on the nic connected to the internet. ---
Steve

Steve

Thanks - those are the main ones I knew about. I was thinking that I could
set the IP filtering to only accept these ports (except the DNS - I don't do
any zone transfers with my ISP). I already have a neat firewall - Black Ice
which blocks based on IP addresses and based on what it thinks is an Attack.
However, it was not stopping ports 135, 137-139 or 443 and so I was getting
some pesky outfits who were annoying me with ads through port 135 telling me
to by their software and it would stop them from being jerks. (Like that
marketing technique is going to work).

I just know that if I block everything except those ports and then something
doesn't work, I won't know it nor will I know what port it was associated
with. I am only concerned with incoming traffic - all outbound traffic will
be from me or my kids so I am not worrying about them.

Thanks
George

Hi George. Ip filtering filters inbound traffic only by port number

and is
most

suitable for dedicated servers. You would be far better served with a

SPI
firewall

like the one Netgear sells for around $75. It can fend off a lot of attacks "at the
gate" . Common ports for internet access to servers - ftp 20 and 21,

http
80, https

443, smtp 25, pop 110, nntp 119, dns 53 udp [tcp zone

ansfers]. ---
Steve

In light of all the recent flurry of activity I was wondering why

not
enable

TCP/IP filtering and allow only TCP port 80 and the FTP port and

email
port

to get through the adapter? Also, what UDP ports would be necessary to
leave open?

I know the first question is "what are you using it for?" This is

my
basic

server that simply functions as a network server for my home

network.
It

hosts a few shared folders and a private network on the second

ethernet
card

and the first one is a static IP directly connected to the ISP. I

may
allow

from time to time some files to be accessed from my website that is hosted
remotely by a specialized web hosting company and I do all of my web design
locally and upload through ftp using dreamweaver to the main

website.
We

have about 6 pcs attached to the network and all family users with

kids
who

love the instant message service. Based on this info what TCP and

UDP
ports

would I need to leave open.

Thanks
George Mizzell

 

[Colin Newman]

This is my question in a more complex guise. We just need
to block a couple of ports according to the instructions
but the filter doesn't let us do that directly.

 

[George Mizzell]

Colin

As I understand this filtering in W2K server - it only works to either
accept ONLY or reject ONLY and does not specifically block selected ports.
As I recall its intent is pertaining to web servers and instead of needing a
firewall you can allow ONLY port 80 traffic or an exchange server can ONLY
allow port 25. For selecting a couple of ports to block you need a firewall
program.

Hope this helps a little
George

 

[Steven L Umbach]

You don't have to know all the ports that cause the problem. Whatever one
uses, firewall or ipsec filtering, the best approach to take is to create a default
"deny all" rule for inbound access and then create exceptions to the rule. For an
average user, there will not be any open inbound access ports. The firewall then will
open outbound ports for approved applications/protocols and only allow traffic back
in in response to the initiated connection by tracking the state of the
onnection. --- Steve

I don't know how similar Win 2K Pro is to W2K Server, but if they are, then you can

accomplish the filtering that you

want via Control Panel/Administrative Tools/Local Security Policy/IP Security

Policies on Local Machine (IP Sec).

Here you would have to create a "policy" which would be a combination of Filters,

which in turn is a combination of

Filter Rules grouped with a filter (e.g. Block or Permit). For Blaster, I have used a filter that blocks the
particular ports that it uses together with a default filter that lets remaining IP

traffic through according to the

default scheme.

See my earlier post in this newsgroup entitled "Win 2K Pro Service Pack 1 and

Blaster" for some additional info.

Notice, however, that the different companies are at odds over which ports are used

for the attack. This, of course,

begs the question of how thoroughly was the virus reviewed by the individual

companies and the concomitant question

of how effective is the patch for future variants? I have not installed the patch

but by blocking the union of all