# to run from the command line: netsh -f PortFilterScript.txt # this script assumes: # - external interface named "WAN" # - external interface IP is 192.168.1.2 # - no currently configured filters, fresh configuration # modify to suit # ---------------------------------- # DISCLAIMER: use this at your own risk! User must bear sole responsibility for any harm caused by using this script. # using this script file without modification will allow inbound PPTP and RDP traffic! # ---------------------------------- # IP configuration pushd routing ip set filter name="WAN" filtertype=INPUT action=DROP # allow incoming: GRE, ping add filter name="WAN" filtertype=INPUT srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=0.0.0.0 dstmask=0.0.0.0 proto=47 add filter name="WAN" filtertype=INPUT srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=0.0.0.0 dstmask=0.0.0.0 proto=ICMP type=255 code=255 # allow incoming to reach server: pptp, terminal services add filter name="WAN" filtertype=INPUT srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=192.168.1.2 dstmask=255.255.255.255 proto=TCP srcport=0 dstport=1723 add filter name="WAN" filtertype=INPUT srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=192.168.1.2 dstmask=255.255.255.255 proto=TCP srcport=0 dstport=3389 # Windows Server 2003 Small Business Edition - edit per your configuration # allow incoming to reach server: http(?!), https, Remote Web Workplace - CAUTION!! # add filter name="WAN" filtertype=INPUT srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=192.168.1.2 dstmask=255.255.255.255 proto=TCP srcport=0 dstport=80 # add filter name="WAN" filtertype=INPUT srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=192.168.1.2 dstmask=255.255.255.255 proto=TCP srcport=0 dstport=443 # add filter name="WAN" filtertype=INPUT srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=192.168.1.2 dstmask=255.255.255.255 proto=TCP srcport=0 dstport=4125 # allow outgoing common: FTP, SMTP, DNS, HTTP, POP3, Time, HTTPS add filter name="WAN" filtertype=INPUT srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=192.168.1.2 dstmask=255.255.255.255 proto=TCP srcport=20 dstport=0 add filter name="WAN" filtertype=INPUT srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=192.168.1.2 dstmask=255.255.255.255 proto=TCP srcport=21 dstport=0 add filter name="WAN" filtertype=INPUT srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=192.168.1.2 dstmask=255.255.255.255 proto=TCP srcport=25 dstport=0 add filter name="WAN" filtertype=INPUT srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=192.168.1.2 dstmask=255.255.255.255 proto=UDP srcport=53 dstport=0 add filter name="WAN" filtertype=INPUT srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=192.168.1.2 dstmask=255.255.255.255 proto=TCP srcport=53 dstport=0 add filter name="WAN" filtertype=INPUT srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=192.168.1.2 dstmask=255.255.255.255 proto=TCP srcport=80 dstport=0 add filter name="WAN" filtertype=INPUT srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=192.168.1.2 dstmask=255.255.255.255 proto=TCP srcport=110 dstport=0 add filter name="WAN" filtertype=INPUT srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=192.168.1.2 dstmask=255.255.255.255 proto=UDP srcport=123 dstport=0 add filter name="WAN" filtertype=INPUT srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=192.168.1.2 dstmask=255.255.255.255 proto=TCP srcport=443 dstport=0 # allow outgoing requests: SMTP-SSL, SMTP-Alternate, POP3-SSL add filter name="WAN" filtertype=INPUT srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=192.168.1.2 dstmask=255.255.255.255 proto=TCP srcport=465 dstport=0 add filter name="WAN" filtertype=INPUT srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=192.168.1.2 dstmask=255.255.255.255 proto=TCP srcport=587 dstport=0 add filter name="WAN" filtertype=INPUT srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=192.168.1.2 dstmask=255.255.255.255 proto=TCP srcport=995 dstport=0 # allow outgoing requests: pptp, terminal services add filter name="WAN" filtertype=INPUT srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=192.168.1.2 dstmask=255.255.255.255 proto=TCP srcport=1723 dstport=0 add filter name="WAN" filtertype=INPUT srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=192.168.1.2 dstmask=255.255.255.255 proto=TCP srcport=3389 dstport=0 # SNMP - depending on your configuration # add filter name="WAN" filtertype=INPUT srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=192.168.1.2 dstmask=255.255.255.255 proto=UDP srcport=161 dstport=0 # add filter name="WAN" filtertype=INPUT srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=192.168.1.2 dstmask=255.255.255.255 proto=UDP srcport=0 dstport=161 # RIP - depending on your configuration, remove the # character to enable # add filter name="WAN" filtertype=INPUT srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=192.168.1.2 dstmask=255.255.255.255 proto=UDP srcport=0 dstport=520 # add filter name="WAN" filtertype=INPUT srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=192.168.1.2 dstmask=255.255.255.255 proto=UDP srcport=520 dstport=0 set filter name="WAN" fragcheck=enable popd # End of IP configuration