[ale] Open Source Firewall for Windows 2000/XP?

Jonathan Glass jonathan.glass at ibb.gatech.edu
Tue Jun 8 12:54:46 EDT 2004


On Tue, 2004-06-08 at 11:14, Byron A Jeff wrote:
> On Tue, Jun 08, 2004 at 09:30:35AM -0400, Jonathan Glass wrote:
> - On Tue, 2004-06-08 at 09:27, Jonathan Glass wrote:
<snip>
> - Straight from the microsoft documentation on disabling this
> - kerberos-ipsec exemption:
> - http://tinyurl.com/3d8f4
> 
> Excellent.
> 
> I'm back with another question. First thanks to Jonathan for all the great
> info. I even discussed the issue in my Information Security class yesterday.
> 
> A few more question came from that discussion: 
> 
> 1) Presuming that all ports are turned off, what is the consequence for a
> client only Windows machine that offers no services?

Should be minimal, since you're only restricting incoming
communication.  That being said, test and let me know!

> 2) Where can the cool script that you generated be put so that protection is
> automagically invoked when the machine is booted?

IIRC, this script is making changes to the registry, so you run it once,
and it stays set.

> 3) It seems that the scripts only block certain ports. Is it possible to
> specify blackage of all incoming ports (i.e. [*=0:*,TCP]?) Never mind I found
> it here:

Thanks for the info.

> ---------------------------------------------
> http://win2k.uwaterloo.ca/IP_Security/Servers_IPSEC.htm
> 
> example:
> ipsecpol -x -w reg -p "UW DC Policy" -r "TCP Blocked" -n BLOCK  -f *+0::TCP
> #The first blocks all TCP traffic to and from anywhere to the server where 
> #this is run.
> 
> A followup explanation of the filter specification:
> 
> Our Filter Explained:
> 
> '-f 129.97.*.*+0::TCP' defines a source mask of 129.97.*.* meaning from
> anywhere on campus.
> 
> The '+' mirrors the filter meaning source to destination and destination to
> source, [BAJ Note: use an '=' for a filter in a single direction]
> 
> The '0' defines our destination as the IP address of the workstation it's
> defined on,
> 
> and the port controlled is all TCP since there is no number between the two
> colons.
> ---------------------------------------------
> 
>  
> A bit overreaching, but gives enough information in order to tailor the
> policy.
> 
> I see two possible configs:
> 
> 1) Machine on unprotected network. All incoming ports (including port 500)
> closed. Would the machine function in this configuration?

Yes, with a possible problem in a domain configuration.  We had some
strange behavior when we blocked all incoming ports.  That's why there
is a hole for the local subnet for file and print sharing and RPC
traffic to the PDC & File servers.  I didn't have a great deal of time
to work with it, so I left it as you see it.

> 2) Machine on firewall protected network. Wat ports would need to be open 
> in order to get ordinary windows authentication and sharing services?

Should be port 135 for the RPC stuff, then 445 (2000/XP only network),
or 139 for a WinNT/9x network.

> Thanks for all the help Jonathan. Oh BTW the last name is Jeff, not Jeffy as
> you have in your acknowlgement on your web page.

Oops! Typo corrected.

> 
> BAJ
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale


-- 
Jonathan Glass
Systems Support Specialist II
Institute for Bioengineering & Bioscience
Georgia Institute of Technology
Email: jonathan.glass at ibb.gatech.edu
Office: 404-385-0127
Fax: 404-894-2291



More information about the Ale mailing list