[ale] Open Source Firewall for Windows 2000/XP?

Byron A Jeff byron at cc.gatech.edu
Tue Jun 8 11:15:00 EDT 2004 

On Tue, Jun 08, 2004 at 09:30:35AM -0400, Jonathan Glass wrote:
- On Tue, 2004-06-08 at 09:27, Jonathan Glass wrote:
- > On Tue, 2004-06-08 at 09:19, Geoffrey wrote:
- > > Jonathan Glass wrote:

[SNIP]

- > > Is it possible to explicitly block these ports, or are they ALWAYS open?
- > 
- > Therein lies the rub.  I have gone through my client machines, and
- > killed these services, and closed the ports, but port scanning the
- > machines using a source port of 500 still allows me full access to the
- > boxes.  :(
- 
- 
- Straight from the microsoft documentation on disabling this
- kerberos-ipsec exemption:
- http://tinyurl.com/3d8f4

Excellent.

I'm back with another question. First thanks to Jonathan for all the great
info. I even discussed the issue in my Information Security class yesterday.

A few more question came from that discussion: 

1) Presuming that all ports are turned off, what is the consequence for a
client only Windows machine that offers no services?

2) Where can the cool script that you generated be put so that protection is
automagically invoked when the machine is booted?

3) It seems that the scripts only block certain ports. Is it possible to
specify blackage of all incoming ports (i.e. [*=0:*,TCP]?) Never mind I found
it here:

---------------------------------------------
http://win2k.uwaterloo.ca/IP_Security/Servers_IPSEC.htm

example:
ipsecpol -x -w reg -p "UW DC Policy" -r "TCP Blocked" -n BLOCK  -f *+0::TCP
#The first blocks all TCP traffic to and from anywhere to the server where 
#this is run.

A followup explanation of the filter specification:

Our Filter Explained:

'-f 129.97.*.*+0::TCP' defines a source mask of 129.97.*.* meaning from
anywhere on campus.

The '+' mirrors the filter meaning source to destination and destination to
source, [BAJ Note: use an '=' for a filter in a single direction]

The '0' defines our destination as the IP address of the workstation it's
defined on,

and the port controlled is all TCP since there is no number between the two
colons.
---------------------------------------------

 
A bit overreaching, but gives enough information in order to tailor the
policy.

I see two possible configs:

1) Machine on unprotected network. All incoming ports (including port 500)
closed. Would the machine function in this configuration?

2) Machine on firewall protected network. Wat ports would need to be open 
in order to get ordinary windows authentication and sharing services?

Thanks for all the help Jonathan. Oh BTW the last name is Jeff, not Jeffy as
you have in your acknowlgement on your web page.

BAJ

More information about the Ale mailing list