TCP/IP Filtering Problem

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

Hello,

I'm trying to lock down a Win2K server (Svc. Pak 4) for use as a web server
and want to be as thorough as possible. I'd like to use TCP/IP Filtering,
but have run into a snag. I have it set so that the following TCP ports are
permitted: 21, 25, 53, and 80; and also UDP port 53. The problem is that it
seems name resolution is not working. I can ping sites by IP address but not
DNS names. Also, sending mail with the SMTP server does not work, and adds
this entry to the system log: "message delivery to the remote domain
<domain> failed for the following reason: destination server does not
exist."

When I allow all UDP ports, everything works fine. Obviously there are a few
other UDP ports I must allow - does anyone have any suggestions as to which
ports to open? Thanks.

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

Unlike tcp/ip filtering for TCP, filtering for UDP is not "stateful" in that the
computer does not realize that the return traffic from dns servers on the internet
are responses to requests that the computer initiated. Port 53 UDP is the server port
for dns requests and not the port you would use as the client which could be any of
the above 1024 unprivileged ports. You will to disable filtering for UDP if you need
dns name resolution FROM your server. Note that internet users will still be able to
access your web server. You would only need to open port 53 UDP if that server is
also hosting dns for internet users and they would receive reply traffic since tcp/ip
filtering only blocks inbound traffic. You could use ipsec filtering to complement
your tcp/ip filtering and I suggest that you use a hardware firewall as your first
line of defense, even a cheap under $100 one will be a whole lot better than none at
all. The Netgear ProSafe line starts at under $100 and is a real SPI firewall. ---
Steve

http://www.securityfocus.com/infocus/1559
http://support.microsoft.com/default.aspx?scid=kb;en-us;811832 -- explanation of
ipsec default exemptions and a registry mod to remedy.

"George Jewell" <gjewell@usdatalink.com> wrote in message
news:gRm%c.523$xA1.90@newsread3.news.pas.earthlink.net...
> Hello,
>
> I'm trying to lock down a Win2K server (Svc. Pak 4) for use as a web server
> and want to be as thorough as possible. I'd like to use TCP/IP Filtering,
> but have run into a snag. I have it set so that the following TCP ports are
> permitted: 21, 25, 53, and 80; and also UDP port 53. The problem is that it
> seems name resolution is not working. I can ping sites by IP address but not
> DNS names. Also, sending mail with the SMTP server does not work, and adds
> this entry to the system log: "message delivery to the remote domain
> <domain> failed for the following reason: destination server does not
> exist."
>
> When I allow all UDP ports, everything works fine. Obviously there are a few
> other UDP ports I must allow - does anyone have any suggestions as to which
> ports to open? Thanks.
>
>
>