RE: Still Help Needed: i want to make a firewall

[MirkoMaty () t-online de (Mirko Matytschak)]

Maybe I can help you.

If closing ports is all you need, IPSec is a very usefull tool. It's part of W2K and XP. I try to give a short 
description of the steps needed to make a working filter environment. On my machine is a german version of XP, so keep 
in mind that some of the Commands I mention here may have slightly different names.

Start the IPSec MMC Snap in: Start | Run | secpol.msc.

Right click on "IP Security Policies". Select "Configure IP Filter Lists and Actions", Select the left tab (IP Filter 
lists).
Add two filter lists, one for the forbidden packets, one for the allowed packets. Let's start with the forbidden ones. 
If you click "Add", you'll get a dialog, "IP Filter List". Enter a name like "Forbidden Packets", make shure to select 
the "Use Wizard" check box. Then click "Add", to add a filter rule. The wizard starts. In the following steps choose 
"Any IP Address" as Source, "My IP Address" as destination, "Any" as Protocol Type and finish the wizard. Close the IP 
Filter List dialog. Now click "Add" again for the allowed packets. Choose a name like "Allowed Packets". For each Port 
you need to have open (80, 21, 5900, or whatever) you need to add two Filter Rules. Let's start with the first rule for 
HTTP:
Source Address -> Any IP Address
Dest Address -> My IP Address 
Protocol -> TCP
> From Port -> 80, To Any Port
Now the second Rule:
Source Address -> My IP Address 
Dest Address -> Any IP Address
Protocol -> TCP
> From Port -> 80, To any Port
I thought at first, I should enter "From any Port, To Port 80", but that doesn't do the job. Now for each port enter a 
rule pair like shown with port 80. And don't forget to enter a pair of rules for UDP Port 53, to get your name service 
running. If you know the address of your name server, enter the specific address instead of "Any IP Address". After 
entering all Rules, click OK for the "Filter List Dialog". Now there should be four Lists in the "IP Filter Lists and 
Actions" Dialog - two preconfigured from MS and two from you. 

Now you have to enter a new Filter Action. Click on the right Tab "Manage Filter Actions". Click Add to start the 
Filter Action Wizard, select a name like "Block it baby", choose "Block", finish. Note that there is a preconfigured 
filter action for allowing Packets to pass. 

Close the "IP Filter Lists and Filter Actions" Dialog. You're back now in the MMC. 

Your job now is to apply the block action on the "Forbidden Packets" filter list and to apply the allow action on the 
"Allowed Packets" filter list.

Right click in the right panel of the MMC and choose "Create IP Security Policy". You're in another wizard. Give the 
policy a name like "Web Server". Uncheck the "Activate Standard Answer Rule" check box, Finish. Another Dialog appers 
"New IP Security Policy Properties". Make shure to check the "Use Wizard" check box. Click Add. The Policy Rule Wizard 
starts. Choose "This rule doesn't specify a tunnel". Choose "All Network Connections". Choose "Active Directory 
Standard" (in W2K: "Kerberos Protocol"). This step has no impact on the rule - just choose it. Click on "Yes" in the 
following warning. Now you get a list of your filter lists. Choose one of your lists, lets say the "Allowed packets". 
In the next step choose "Allow", Finish. Add the second rule with the forbidden packets - same procedere, but choose 
"Block it baby" as Filter Action. Click OK. Now you're back in the MMC. You can see your new policy in the list of 
policies. Right click on it and choose "Assign". Now your policy works - you don't need to restart. If you temporarily 
want to unassign the policy, just right click at the policy and choose "Remove Assignment" - or whatever english 
translation applies for "Zuweisung entfernen" ;-).

Please mind that this steps doesn't protect your system against attacks over port 80. Always install the newest 
security patches, subscribe the MS Security Bulletin and Security Focus.

Hope that helps.

Mirko