RRAS Port Filtering Reference


Built-in port filtering for Windows Servers (pre 2008 Server)

Update: Since Microsoft has decided that multi-homing a Windows Server 2008 R2 Domain Controller is "a huge no-no", administrators that need to selectively drop all but desired packets on an interface can use this RRAS Port filtering method to secure their systems when Network Location Awareness (NLA) incorrectly indentifies internet connections as "Domain Network".

Back in the day when dedicated firewall devices were expensive, using the built-in Routing and Remote Access Service (RRAS) to perform Network Address Tranlation (NAT) and port blocking was an economical alternative for small businesses that needed to be frugal. For small businesses that only needed a port or two to be open for inbound traffic and needed the VPN feature in RRAS, a second network card was all that was needed.

With hours of research and testing, I was able to determine how to use RRAS for port filtering in Windows 2000 Server. One of the side-effects was that when using RRAS for inbound port filtering, any traffic that was in response to outbound requests needed those ports open also. This had the benefit of limiting outbound traffic to well known protocols, in the hope of mitigating any malware communicating on non- standard ports.

Juding from the feedback, this guide has saved other administrators a bunch of time. Thanks for all the positive comments! This guide will setup port filtering for an Internet connection, only the ports desired for inbound and outbound traffic are open.

With Windows 2003 Server, I have mostly abandoned using port filtering, opting for the 'Use Basic Firewall' option in RRAS instead. I still reference this page frequently as quick reminder for some of the port numbers used by common protocols.

Windows Server 2008 R2 Note: the 'Use Basic Firewall' option has been removed from RRAS, so the old Windows 2000 method of applying Input Filters will need to be followed.


A side note: if I understood correctly, these same filters can be applied within the advanced TCP/IP properties for the External Adapter up to Windows 2003. The advantage I read was that the filtering occurs at the kernel level which is supposed to be more secure, the disadvantage is that a reboot is required everytime the filtering changes!

Basic assumptions for the server:
- Running Windows 2000 Server
- Already Running RRAS services
- Not running Proxy Server or ISA server (although the filters would be similar)
- My example below uses the external IP address: 192.168.1.2 (customize per your needs)

Of course, if you are applying these filters to a server via a remote control session, be extremely careful NOT to filter out your remote control session. Also, I am NOT a networking expert, take this advise at your own risk. Any glaring errors found please let me know ASAP. Select from the list below per your needs, do NOT simply add everything I have listed.

To configure the filters, go to: Start > Programs > Administrative Tools > Computer Management. Expand: Services and Applications > Routing and Remote Access > IP Routing > General. In the right pane, right-click the WAN Interface (that you are configuring) > Properties > (General tab), click Input Filters... click Add... then add your first filter. AFTER adding your FIRST filter, then be sure to select the option at top for 'Drop all packets except those that meet the criteria below'.

Alternative method: You can use the netsh command to script the import of these filters. You can download the script file that I tweak & use to quickly enter these filters. More information can be found at Microsoft in Article 242468.

If anyone would like to see some common additions made, or if this page saves you a couple minutes, please send me an email: JayRO@OhmanCorp.com.

Source
Address
Source
Mask
Destination
Address
Destination
Mask
Protocol Source
Port
Destination
Port
Allow this server to be pinged, and allow replies to an outbound ping
AnyAnyAnyAnyICMPAnyAny
Allow GRE protocol for PPTP, inbound and outbound
AnyAnyAnyAny47AnyAny
When the server is used as a workstation, and/or acting as router/NAT Gateway for LAN
Allow outbound communication.
* = defacto standard port
FTP (file transfer)
AnyAny192.168.1.2255.255.255.255TCP20Any
AnyAny192.168.1.2255.255.255.255TCP21Any
SMTP (outgoing email)
AnyAny192.168.1.2255.255.255.255TCP25Any
DNS (domain name resolution)
AnyAny192.168.1.2255.255.255.255TCP53Any
AnyAny192.168.1.2255.255.255.255UDP53Any
HTTP (web page)
AnyAny192.168.1.2255.255.255.255TCP80Any
POP3 (incoming email)
AnyAny192.168.1.2255.255.255.255TCP110Any
NTP (Time Service, w32tm)
AnyAny192.168.1.2255.255.255.255UDP123Any
SNMP (Simple Network Management Protocol)
AnyAny192.168.1.2255.255.255.255UDP161Any
HTTPS (encrypted web page)
AnyAny192.168.1.2255.255.255.255TCP443Any
SMTP-SSL (encrypted outgoing email, verify with email provider)
AnyAny192.168.1.2255.255.255.255TCP465*Any
RIP (Routing Information Protocol)
AnyAny192.168.1.2255.255.255.255UDP520Any
SMTP-Alternate (outgoing email, work around SBCGlobal DSL port 25 block)
AnyAny192.168.1.2255.255.255.255TCP587*Any
POP3-SSL (encrypted incoming email)
AnyAny192.168.1.2255.255.255.255TCP995Any
L2TP (Layer2 VPN)
AnyAny192.168.1.2255.255.255.255TCP1701Any
PPTP (Micrsoft VPN)
AnyAny192.168.1.2255.255.255.255TCP1723Any
RDP (Microsoft Remote Desktop and Terminal Services
AnyAny192.168.1.2255.255.255.255TCP3389Any
PCAnywhere (Ver. 8 and newer)
AnyAny192.168.1.2255.255.255.255TCP5631Any
AnyAny192.168.1.2255.255.255.255UDP5632Any
To allow certain Services on the Server
Allow inbound communication.
* = defacto standard port
Be certain you want this inbound traffic!
FTP Server (file transfer)
AnyAny192.168.1.2255.255.255.255TCPAny20
AnyAny192.168.1.2255.255.255.255TCPAny21
SMTP Server (mail server, receive and serve email)
AnyAny192.168.1.2255.255.255.255TCPAny25
DNS Server (domain name resolution)
Allow DNS requests to reach this server
AnyAny192.168.1.2255.255.255.255TCPAny53
AnyAny192.168.1.2255.255.255.255UDPAny53
HTTP (web page server)
AnyAny192.168.1.2255.255.255.255TCPAny80
POP3 Server (mail server, deliver stored email)
AnyAny192.168.1.2255.255.255.255TCPAny110
SNMP (Simple Network Management Protocol)
AnyAny192.168.1.2255.255.255.255UDPAny161
HTTPS (web page server, encrypted web page)
AnyAny192.168.1.2255.255.255.255TCPAny443
SMTP-SSL (mail server, serve encrypted email)
AnyAny192.168.1.2255.255.255.255TCPAny465*
RIP (Routing Information Protocol)
AnyAny192.168.1.2255.255.255.255UDPAny520
SMTP-Alternate (mail, work around SBCGlobal DSL port 25 block)
    SMTP AUTH strongly recommended
AnyAny192.168.1.2255.255.255.255TCPAny587*
HTTPS for RWW (SBS 2008)
AnyAny192.168.1.2255.255.255.255TCPAny987
POP3-SSL (mail server, deliver stored encrypted email)
AnyAny192.168.1.2255.255.255.255TCPAny995
L2TP Server (Layer2 VPN)
AnyAny192.168.1.2255.255.255.255TCPAny1701
PPTP Server (Micrsoft VPN)
AnyAny192.168.1.2255.255.255.255TCPAny1723
RDP (Microsoft Terminal Services Server
AnyAny192.168.1.2255.255.255.255TCPAny3389
PCAnywhere host (Ver. 8 and newer)
AnyAny192.168.1.2255.255.255.255TCPAny5631
AnyAny192.168.1.2255.255.255.255UDPAny5632
Trying to get special apps to run, this worked for me.
Allow Real Audio streaming content (requires manual config in RealPlayer)
AnyAny192.168.1.2255.255.255.255UDPAny7070
AnyAny192.168.1.2255.255.255.255UDPAny7071
AnyAny192.168.1.2255.255.255.255UDP7070Any
AnyAny192.168.1.2255.255.255.255UDP7071Any


Changing a filter set You can use the netsh command to assist changing of these filters. It would be nice to output just the filter stuff, but you'll need to dump all the IP Routing information then weed the dump file.

Syntax to dump current configuration: netsh routing ip dump > FilterList.txt
Then edit the dumped text file, the filtering information is right near the beggining. In my case, the external interface was named "wan", so delete starting with second line reset through the line set filter name="WAN" filtertype=INPUT action=DROP.

Then find the line with fragcheck=, delete that line down to the end but leave popd. You now have a base to work with.

To change all dstaddr=<local address>, you'll need 2 sets for this block, one set changing the word 'add' to 'delete'. The second set change dstaddr=<old IP address> to dstaddr=<new IP address>. To add an additional set of filters, just do the second set. There is no sense in working with filters that have dstaddr=<0.0.0.0>

Syntax to import the text file configuration: netsh -f FilterList.txt.
-f switch = UseScriptFile

Reference:
IANA Port Number Reference


Copyright 1996-2017 Ohman Automation Corp. All rights reserved.