Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : Software Firewall for Win2003 server

[COH_Henrik]

Hi,

We're looking for a software firewall to our Windows 2003 Standard Edition server.

Every server has approximatley 15 web sites with dedicated IP addresses.

I have considered to rent the SnapGear PCI630 from ServerMatrix, but it won't support that many IPs!

Best regards,
Henrik

[my_forum_id]

Have you checked out the built in RRAS support ?

( Under administrative tools ).

You can set up a basic firewall using this - it just blocks everything and you can pick the ports you want to open up to incoming connections.

It's very easy to set up and it has preconfigured values so if you want to allow say mail ftp web remote desktop on a server you just tick those 4 boxes and it will block all ports but those.

Best of all you can install it and choose NOT to start it straight away so you have a chance to set things up (especially remote desktop) before making it live so you don't lock yourself out of the server which seems to happen a lo with software firewalls.

Highly recommended.

[COH_Henrik]

Hi,

You mean the "Internet Connection Firewall"?

I got problem with it, my sistes stops running. I've opened all common ports!

If I get it to work I think there will be problems when I got customers that would lika dedicated IPs for there sites.

Best regards,
Henrik

[eddy2099]

Thanks for the updates. I did not know there was a 15 IPs limit for the Snapgear card. I thought it had a higher limit.

[pmabraham]

Greetings

Search the forums ;-)

http://www.webhostingtalk.com/showth...hreadid=223696

Thank you.

[cptkoi]

BlackIce Server - every time

[COH_Henrik]

Quote:

Originally posted by eddy2099
Thanks for the updates. I did not know there was a 15 IPs limit for the Snapgear card. I thought it had a higher limit.

I don't know if the limit is 15 ips, but I'm waiting an answer from ServerMatrix. I asked them first about 20 IPs, but they didn't gave me the maximum number.

[my_forum_id]

Quote:

Originally posted by COH_Henrik
Hi,

You mean the "Internet Connection Firewall"?

I got problem with it, my sistes stops running. I've opened all common ports!

If I get it to work I think there will be problems when I got customers that would lika dedicated IPs for there sites.

Best regards,
Henrik

No, I mean RRAS - totally different package.

With RRAS you can set independent rules for each IP address, even each lan connection if you have more than one.

It's an absolute hidden gem in 2003 and I'm suprised MS don't make more effort to introduce people to it.

Click on Start -> Settings -> Control Panel -> Administrative tools and you'll see it listed (assuming you have w2003 standard - don't think it's in the web edition).

[COH_Henrik]

Thank you!

I think I found it under "Routing and Remote Access".

Now I got something called "NAT/Basic Firewall".

Here I find my network adapter.

Here is a tabb called "Address Pool" with description "Your Internet service provider (ISP) assigns this address pool". .

Should I put my IPs from ServerMatrix here?
Eg:
From: 69.93.xx.98
Mask: 255.255.255.248
To: 69.93.xx.102


Then I have a tab called "Services and ports"
It look like below:

--- Publilc address --------------------------
On this interface
On this address pool entry:

Incoming port: 21
Private address: 0.0.0.0
Outgoing port: 21

If I eg want port 21 to be open for my IPs 69.93.xx.98-69.93.xx.102. How should I configure it? 69.93.xx.98 is the main IP and the other are for new web hosting customers that need dedicated IPs for there sites.

Should I have my main IP entered under "private address? If I choose "On this interface" under public address, will all my public IPs work then?

Thank you in advance,
Henrik

[cprompt]

Quote:

Originally posted by COH_Henrik
Hi,

You mean the "Internet Connection Firewall"?

I got problem with it, my sistes stops running. I've opened all common ports!

The ICF only supports a single IP address per machine. It assumes that you have a single IP for your network and it enables you to redirect inbound traffic to servers on the network by port. You can not have multiple rules per IP.

I am trying the Routing and Remote Access firewall on my local W2K3 box before attempting it on my hosted server (I have already locked my self out twice )

[COH_Henrik]

I have now my "Routing and Remote Access firewall" to work pretty well. First I had problems that I could not connect to ftps and sites. I added port 53, but I it still didn't work, but when I also added port 53 with the UDP option it suddenly worked!

I haven't tried if it works with multiple external IPs yet..

[SoftWareRevue]

Moved to the "Technical & Security Issues" Forum.

[elementip]

You could also set up TCP filtering, to block specific ports. It's not a full firewall solution, but it can go a long way towards securing a box.

Something with some sort of SPI would be better though.

[my_forum_id]

RRAS is TCP filtering with knobs on !