Web Hosting Talk






PDA

View Full Version : TCP/IP filter or IP packats filtering on Win2k3?

riverpast
11-20-2003, 12:16 PM
Hi all

I am setting up my server - Win2k3. I have applied TCP/IP filtering and left only the ports for HTTP, FTP, POP3, SMTP, MySQL and Windows Remote Desktop open. However, now I found I cannot access web pages from the server so I cannot get the latest updates.

Would using IP Packet filtering be better?

Is there any other better practice to get the windows updates?

John
John[H4Y]
11-20-2003, 12:17 PM
Just make it so it allows outbound port 80 traffic.
Papa Smurff
11-20-2003, 01:37 PM
Originally posted by riverpast
Hi all

I am setting up my server - Win2k3. I have applied TCP/IP filtering and left only the ports for HTTP, FTP, POP3, SMTP, MySQL and Windows Remote Desktop open. However, now I found I cannot access web pages from the server so I cannot get the latest updates.

Would using IP Packet filtering be better?

Is there any other better practice to get the windows updates?

John


Take a look at this tutorial:
http://homepages.wmich.edu/~mchugha/w2kfirewall.htm
riverpast
11-20-2003, 02:53 PM
John, I have the port 80 open. There is no option to select inbound or outbound so I assume it is bi-directional. The web pages from that server (outbound) works fine, but I cannot get web pages from outside (inbound).

Smurff, thanks for the page. I need to test it on my local server first because I don't want to block Remote Desktop out accidentially.

Any other easy way?
riverpast
11-20-2003, 03:05 PM
Just realized that I blocked DNS. However, allowing port 53 still didn't fix the problem. From the server, I can access outside web pages if I enter the IP, but not the domain name. What did I do wrong?
kcoster
11-21-2003, 05:55 AM
Do you have port 53 TCP and UDP enabled ?
chet
11-21-2003, 06:01 AM
The upper ports are you used by the outside world when you communicate back. So a dns connections happens on port 53, but the response can be between 1028-64000 or some such range above.

NT is the same way and makes it impossible to have port blocking on a server that uses or serves dns.

I may be slightly wrong with my explaination, but that is the issue.

Chet
riverpast
11-21-2003, 09:22 AM
Here is the latest result:

I still block all the TCP ports except the ones I need: HTTP, FTP, POP3, STMP, MYSQL, DNS.

I unblock UDP port 53(DNS). IE doesn't work.
I unblock UDP port 80(DNS). IE doesn't work.
I unblock all UDP ports. IE works.

It is working but it is not as secure as I want.

John