Built-in port filtering for Windows Servers (pre 2008 Server)
Update: Since Microsoft has decided that multi-homing a Windows Server 2008 R2 Domain Controller is "a huge
no-no", administrators that need to selectively drop all but desired packets on an interface can use this RRAS
Port filtering method to secure their systems when Network Location Awareness (NLA) incorrectly indentifies
internet connections as "Domain Network".
Back in the day when dedicated firewall devices were expensive, using the built-in Routing and Remote
Access Service (RRAS) to perform Network Address Tranlation (NAT) and port blocking was an economical
alternative for small businesses that needed to be frugal. For small businesses that only needed a port or
two to be open for inbound traffic and needed the VPN feature in RRAS, a second network card was all that was
needed.
With hours of research and testing, I was able to determine how to use RRAS for port filtering in
Windows 2000 Server. One of the side-effects was that when using RRAS for inbound port filtering, any
traffic that was in response to outbound requests needed those ports open also. This had the benefit of
limiting outbound traffic to well known protocols, in the hope of mitigating any malware communicating on non-
standard ports.
Juding from the feedback, this guide has saved other administrators a bunch of time. Thanks for all the
positive comments! This guide will setup port filtering for an Internet connection, only the ports
desired for inbound and outbound traffic are open.
With Windows 2003 Server, I have mostly abandoned using port filtering, opting for the
'Use Basic Firewall' option in RRAS instead. I still reference this page frequently as quick reminder for
some of the port numbers used by common protocols.
Windows Server 2008 R2 Note: the 'Use Basic Firewall' option has been removed from RRAS, so the old
Windows 2000 method of applying Input Filters will need to be followed.
A side note: if I understood correctly, these same filters can be applied within the advanced
TCP/IP properties for the External Adapter up to Windows 2003. The advantage I read was that the filtering
occurs at the kernel level which is supposed to be more secure, the disadvantage is that a reboot is required
everytime the filtering changes!
Basic assumptions for the server:
- Running Windows 2000 Server
- Already Running RRAS services
- Not running Proxy Server or ISA server (although the filters would be similar)
- My example below uses the external IP address: 192.168.1.2 (customize per your needs)
Of course, if you are applying these filters to a server via a remote control
session, be extremely careful NOT to filter out your remote control session. Also, I am NOT a networking expert,
take this advise at your own risk. Any glaring errors found please let me know ASAP. Select from the list
below per your needs, do NOT simply add everything I have listed.
To configure the filters, go to: Start > Programs > Administrative Tools >
Computer Management. Expand: Services and Applications > Routing and Remote Access > IP Routing > General.
In the right pane, right-click the WAN Interface (that you are configuring) > Properties > (General tab), click
Input Filters... click Add... then add your first filter. AFTER adding your FIRST filter, then be sure to
select the option at top for 'Drop all packets except those that meet the criteria below'.
Alternative method: You can use the netsh command to script the
import of these filters. You can download the script file that
I tweak & use to quickly enter these filters. More information can be found at Microsoft in
Article 242468.
If anyone would like to see some common additions made, or if this page saves
you a couple minutes, please send me an email: JayRO@OhmanCorp.com.
Source
Address |
Source
Mask |
Destination
Address |
Destination
Mask |
Protocol |
Source
Port |
Destination
Port |
| Allow this server to be pinged, and allow replies to an outbound ping |
| Any | Any | Any | Any | ICMP | Any | Any |
| Allow GRE protocol for PPTP, inbound and outbound |
| Any | Any | Any | Any | 47 | Any | Any |
When the server is used as a workstation, and/or
acting as router/NAT Gateway for LAN
Allow outbound communication.
* = defacto standard port |
| FTP (file transfer) |
| Any | Any | 192.168.1.2 | 255.255.255.255 | TCP | 20 | Any |
| Any | Any | 192.168.1.2 | 255.255.255.255 | TCP | 21 | Any |
| SMTP (outgoing email) |
| Any | Any | 192.168.1.2 | 255.255.255.255 | TCP | 25 | Any |
| DNS (domain name resolution) |
| Any | Any | 192.168.1.2 | 255.255.255.255 | TCP | 53 | Any |
| Any | Any | 192.168.1.2 | 255.255.255.255 | UDP | 53 | Any |
| HTTP (web page) |
| Any | Any | 192.168.1.2 | 255.255.255.255 | TCP | 80 | Any |
| POP3 (incoming email) |
| Any | Any | 192.168.1.2 | 255.255.255.255 | TCP | 110 | Any |
| NTP (Time Service, w32tm) |
| Any | Any | 192.168.1.2 | 255.255.255.255 | UDP | 123 | Any |
| SNMP (Simple Network Management Protocol) |
| Any | Any | 192.168.1.2 | 255.255.255.255 | UDP | 161 | Any |
| HTTPS (encrypted web page) |
| Any | Any | 192.168.1.2 | 255.255.255.255 | TCP | 443 | Any |
| SMTP-SSL (encrypted outgoing email, verify with email provider) |
| Any | Any | 192.168.1.2 | 255.255.255.255 | TCP | 465* | Any |
| RIP (Routing Information Protocol) |
| Any | Any | 192.168.1.2 | 255.255.255.255 | UDP | 520 | Any |
| SMTP-Alternate (outgoing email, work around SBCGlobal DSL port 25 block) |
| Any | Any | 192.168.1.2 | 255.255.255.255 | TCP | 587* | Any |
| POP3-SSL (encrypted incoming email) |
| Any | Any | 192.168.1.2 | 255.255.255.255 | TCP | 995 | Any |
| L2TP (Layer2 VPN) |
| Any | Any | 192.168.1.2 | 255.255.255.255 | TCP | 1701 | Any |
| PPTP (Micrsoft VPN) |
| Any | Any | 192.168.1.2 | 255.255.255.255 | TCP | 1723 | Any |
| RDP (Microsoft Remote Desktop and Terminal Services |
| Any | Any | 192.168.1.2 | 255.255.255.255 | TCP | 3389 | Any |
| PCAnywhere (Ver. 8 and newer) |
| Any | Any | 192.168.1.2 | 255.255.255.255 | TCP | 5631 | Any |
| Any | Any | 192.168.1.2 | 255.255.255.255 | UDP | 5632 | Any |
To allow certain Services on the Server
Allow inbound communication.
* = defacto standard port
Be certain you want this inbound traffic! |
| FTP Server (file transfer) |
| Any | Any | 192.168.1.2 | 255.255.255.255 | TCP | Any | 20 |
| Any | Any | 192.168.1.2 | 255.255.255.255 | TCP | Any | 21 |
| SMTP Server (mail server, receive and serve email) |
| Any | Any | 192.168.1.2 | 255.255.255.255 | TCP | Any | 25 |
| DNS Server (domain name resolution) |
| Allow DNS requests to reach this server |
| Any | Any | 192.168.1.2 | 255.255.255.255 | TCP | Any | 53 |
| Any | Any | 192.168.1.2 | 255.255.255.255 | UDP | Any | 53 |
| HTTP (web page server) |
| Any | Any | 192.168.1.2 | 255.255.255.255 | TCP | Any | 80 |
| POP3 Server (mail server, deliver stored email) |
| Any | Any | 192.168.1.2 | 255.255.255.255 | TCP | Any | 110 |
| SNMP (Simple Network Management Protocol) |
| Any | Any | 192.168.1.2 | 255.255.255.255 | UDP | Any | 161 |
| HTTPS (web page server, encrypted web page) |
| Any | Any | 192.168.1.2 | 255.255.255.255 | TCP | Any | 443 |
| SMTP-SSL (mail server, serve encrypted email) |
| Any | Any | 192.168.1.2 | 255.255.255.255 | TCP | Any | 465* |
| RIP (Routing Information Protocol) |
| Any | Any | 192.168.1.2 | 255.255.255.255 | UDP | Any | 520 |
SMTP-Alternate (mail, work around SBCGlobal DSL port 25 block)
SMTP AUTH strongly recommended |
| Any | Any | 192.168.1.2 | 255.255.255.255 | TCP | Any | 587* |
| HTTPS for RWW (SBS 2008) |
| Any | Any | 192.168.1.2 | 255.255.255.255 | TCP | Any | 987 |
| POP3-SSL (mail server, deliver stored encrypted email) |
| Any | Any | 192.168.1.2 | 255.255.255.255 | TCP | Any | 995 |
| L2TP Server (Layer2 VPN) |
| Any | Any | 192.168.1.2 | 255.255.255.255 | TCP | Any | 1701 |
| PPTP Server (Micrsoft VPN) |
| Any | Any | 192.168.1.2 | 255.255.255.255 | TCP | Any | 1723 |
| RDP (Microsoft Terminal Services Server |
| Any | Any | 192.168.1.2 | 255.255.255.255 | TCP | Any | 3389 |
| PCAnywhere host (Ver. 8 and newer) |
| Any | Any | 192.168.1.2 | 255.255.255.255 | TCP | Any | 5631 |
| Any | Any | 192.168.1.2 | 255.255.255.255 | UDP | Any | 5632 |
| Trying to get special apps to run, this worked for me. |
| Allow Real Audio streaming content (requires manual config in RealPlayer) |
| Any | Any | 192.168.1.2 | 255.255.255.255 | UDP | Any | 7070 |
| Any | Any | 192.168.1.2 | 255.255.255.255 | UDP | Any | 7071 |
| Any | Any | 192.168.1.2 | 255.255.255.255 | UDP | 7070 | Any |
| Any | Any | 192.168.1.2 | 255.255.255.255 | UDP | 7071 | Any |
Changing a filter set You can use the netsh command to assist
changing of these filters. It would be nice to output just the filter stuff, but you'll need to
dump all the IP Routing information then weed the dump file.
Syntax to dump current configuration: netsh routing ip dump > FilterList.txt
Then edit the dumped text file, the filtering information is right near the beggining. In my case,
the external interface was named "wan", so delete starting with second line reset
through the line set filter name="WAN" filtertype=INPUT action=DROP.
Then find the line with fragcheck=, delete that line down to the end but leave
popd. You now have a base to work with.
To change all dstaddr=<local address>, you'll need 2 sets for this block, one set changing
the word 'add' to 'delete'. The second set change dstaddr=<old IP address> to
dstaddr=<new IP address>. To add an additional set of filters, just do the second set.
There is no sense in working with filters that have dstaddr=<0.0.0.0>
Syntax to import the text file configuration: netsh -f FilterList.txt.
-f switch = UseScriptFile
Reference:
IANA Port Number Reference
|
