Snort mailing list archives
RE: Still Help Needed: i want to make a firewall
From: MirkoMaty () t-online de (Mirko Matytschak)
Date: Thu, 17 Apr 2003 10:51:20 +0200
Maybe I can help you. If closing ports is all you need, IPSec is a very usefull tool. It's part of W2K and XP. I try to give a short description of the steps needed to make a working filter environment. On my machine is a german version of XP, so keep in mind that some of the Commands I mention here may have slightly different names. Start the IPSec MMC Snap in: Start | Run | secpol.msc. Right click on "IP Security Policies". Select "Configure IP Filter Lists and Actions", Select the left tab (IP Filter lists). Add two filter lists, one for the forbidden packets, one for the allowed packets. Let's start with the forbidden ones. If you click "Add", you'll get a dialog, "IP Filter List". Enter a name like "Forbidden Packets", make shure to select the "Use Wizard" check box. Then click "Add", to add a filter rule. The wizard starts. In the following steps choose "Any IP Address" as Source, "My IP Address" as destination, "Any" as Protocol Type and finish the wizard. Close the IP Filter List dialog. Now click "Add" again for the allowed packets. Choose a name like "Allowed Packets". For each Port you need to have open (80, 21, 5900, or whatever) you need to add two Filter Rules. Let's start with the first rule for HTTP: Source Address -> Any IP Address Dest Address -> My IP Address Protocol -> TCP
From Port -> 80, To Any Port
Now the second Rule: Source Address -> My IP Address Dest Address -> Any IP Address Protocol -> TCP
From Port -> 80, To any Port
I thought at first, I should enter "From any Port, To Port 80", but that doesn't do the job. Now for each port enter a rule pair like shown with port 80. And don't forget to enter a pair of rules for UDP Port 53, to get your name service running. If you know the address of your name server, enter the specific address instead of "Any IP Address". After entering all Rules, click OK for the "Filter List Dialog". Now there should be four Lists in the "IP Filter Lists and Actions" Dialog - two preconfigured from MS and two from you. Now you have to enter a new Filter Action. Click on the right Tab "Manage Filter Actions". Click Add to start the Filter Action Wizard, select a name like "Block it baby", choose "Block", finish. Note that there is a preconfigured filter action for allowing Packets to pass. Close the "IP Filter Lists and Filter Actions" Dialog. You're back now in the MMC. Your job now is to apply the block action on the "Forbidden Packets" filter list and to apply the allow action on the "Allowed Packets" filter list. Right click in the right panel of the MMC and choose "Create IP Security Policy". You're in another wizard. Give the policy a name like "Web Server". Uncheck the "Activate Standard Answer Rule" check box, Finish. Another Dialog appers "New IP Security Policy Properties". Make shure to check the "Use Wizard" check box. Click Add. The Policy Rule Wizard starts. Choose "This rule doesn't specify a tunnel". Choose "All Network Connections". Choose "Active Directory Standard" (in W2K: "Kerberos Protocol"). This step has no impact on the rule - just choose it. Click on "Yes" in the following warning. Now you get a list of your filter lists. Choose one of your lists, lets say the "Allowed packets". In the next step choose "Allow", Finish. Add the second rule with the forbidden packets - same procedere, but choose "Block it baby" as Filter Action. Click OK. Now you're back in the MMC. You can see your new policy in the list of policies. Right click on it and choose "Assign". Now your policy works - you don't need to restart. If you temporarily want to unassign the policy, just right click at the policy and choose "Remove Assignment" - or whatever english translation applies for "Zuweisung entfernen" ;-). Please mind that this steps doesn't protect your system against attacks over port 80. Always install the newest security patches, subscribe the MS Security Bulletin and Security Focus. Hope that helps. Mirko
Current thread:
- Re: Still Help Needed: i want to make a firewall, (continued)
- Re: Still Help Needed: i want to make a firewall Jason (Apr 15)
- Still Help Needed: i want to make a firewall Junaid (Apr 15)
- RE: Still Help Needed: i want to make a firewall bmcdowell (Apr 15)
- RE: Still Help Needed: i want to make a firewall Robert Reid (Apr 15)
- RE: Still Help Needed: i want to make a firewall Michael Steele (Apr 16)
- RE: Still Help Needed: i want to make a firewall Mike Mentges (Apr 16)
- RE: Still Help Needed: i want to make a firewall Matt Kettler (Apr 16)
- RE: Still Help Needed: i want to make a firewall Michael Steele (Apr 16)
- RE: Still Help Needed: i want to make a firewall Rich Adamson (Apr 17)
- RE: Still Help Needed: i want to make a firewall Michael Steele (Apr 16)
- RE: Still Help Needed: i want to make a firewall Horta, Benny (Apr 16)
- RE: Still Help Needed: i want to make a firewall Mirko Matytschak (Apr 17)
- RE: Still Help Needed: i want to make a firewall Robert Reid (Apr 17)
- RE: Still Help Needed: i want to make a firewall James Bly (Apr 17)
- RE: Still Help Needed: i want to make a firewall Robert Reid (Apr 17)
- RE: Still Help Needed: i want to make a firewall Michael Steele (Apr 17)
- RE: Still Help Needed: i want to make a firewall Paul Schmehl (Apr 17)
- RE: Still Help Needed: i want to make a firewall Matt Kettler (Apr 17)
- RE: Still Help Needed: i want to make a firewall Michael Steele (Apr 17)