[ale] Open Source Firewall for Windows 2000/XP?
Jonathan Glass
jonathan.glass at ibb.gatech.edu
Tue Jun 8 09:15:13 EDT 2004
Let me restate that. The Windows Firewall I mentioned was using Ip
security policies to restrict all incoming traffic, not IPSEC. I
abbreviated improperly.
The problem here is that when you are using IP security policies in
2000/XP, despite what policies you set (deny all incoming), the Windows
default behavior is to accept all traffic with a source port of
500|88|(others).
Sorry for the miscommunication.
Jonathan Glass
On Tue, 2004-06-08 at 07:38, Geoffrey wrote:
> Jonathan Glass wrote:
>
> > Correction: Microsoft and ISS have announced a hole in IPSEC filtering.
> > Any packet with a source port of 88 or 500 (a whole list, actually)
> > automatically gets passed through the IPSEC firewalls, regardless of your
> > rulesets. According to M$, IPSEC is not intended to be a firewall.
> > Please visit http://www.ibb.gatech.edu/~jglass/tips-n-tricks/windowsipsec/
> > for details.
>
> That makes no sense to me. You would use a firewall to permit or deny
> ipsec packets right? So are you saying that if you attempt to permit
> ipsec through a M$ firewalled box, it creates a vulnerability?
>
> IPSEC was not intended to be a firewall, but a secure way to pass data
> across an public network.
>
> What am I missing?
>
> > Geesh, they can't even get packet filtering right!
>
> Agreed, but I'm still trying to make sense of of the 'IPSEC is not
> intended to be a firewall' statement.
--
Jonathan Glass
Systems Support Specialist II
Institute for Bioengineering & Bioscience
Georgia Institute of Technology
Email: jonathan.glass at ibb.gatech.edu
Office: 404-385-0127
Fax: 404-894-2291
More information about the Ale
mailing list