Full Version: Windows 2003 Firewall
Due to a limit in Teamspeak only allowing 20 IP Bans, I need a firewall for WIndows 2003 which will allow me to block certain IPs. It doesn't however need to do ANY packet filtering or port blocking. It just need to check to see if IP specified is on it's list and if it is, drop the connection, otherwise, let the connection go through. Any idea? (I prefer not to pay SM for something so simplistic)
The default windows 2003 firewall isn't that nice for multi IP machines. Check the HOW-TO forum for how to work RRAS into a nice firewall.
I'm moving this to the Windows security forum.
I'm moving this to the Windows security forum.
More importantly, klaude, how can it be configured to play nice with SM's IP-range requirements? I'm interested in the easiest solution, and I'm not likely to ever require extra IPs. Ergo, I arrive with the Windows 2003 Firewall as my favorite option. Unfortunately, I haven't found any information on how to make this platform work within the requirements set forth in the welcome email (responds to all ports when request from SM IP-range) but closes out/down the rest of the world.
JackD is right. You can't do ranges in RRAS.
The easy, but slightly more risky thing to do is to just allow those ports in general. I really doubt anybody's looking for those ports and even if they are, I doubt there's anything bad they can do with them.
The easy, but slightly more risky thing to do is to just allow those ports in general. I really doubt anybody's looking for those ports and even if they are, I doubt there's anything bad they can do with them.
lol, Kevin.
SM wants ports 1 through 65535 to remain open. That's *all* the ports Windows has to offer. ;-)
I'm going to try setting up RRAS with the one recommendation from Lunch[box] this afternoon and see what I get.
SM wants ports 1 through 65535 to remain open. That's *all* the ports Windows has to offer. ;-)
I'm going to try setting up RRAS with the one recommendation from Lunch[box] this afternoon and see what I get.
copy this and pasted it to a text file and change the extension to cmd. Change the 100.100.100.100 address to the address you want to block.
Start copy HERE
REM © Microsoft Corporation 1997-2003
REM Packet Fileters for Server Hardening
REM
REM Name: PacketFilters-ServerHost.CMD
REM Version: 1.0
REM This CMD file provides the proper NETSH syntax for creating an IPSec Policy
REM that blocks all network traffic to an SMTP Bastion Host except for what is
REM explicitly allowed as described in the Windows 2003 Server Solution Guide.
REM Please read the entire guide before using this CMD file.
REM Revision History
REM 0000 - Original March 21, 2003
REM 0001 - Original April 16, 2003
:IPSec Policy Definition
netsh ipsec static add policy name="Packet Filters - Your Web Host" description="Server Hardening Policy" assign=no
:IPSec Filter List Definitions
netsh ipsec static add filterlist name="Banned IPS" description="Server Hardening"
:IPSec Filter Action Definitions
netsh ipsec static add filteraction name=SecPermit description="Allows Traffic to Pass" action=permit
netsh ipsec static add filteraction name=Block description="Blocks Traffic" action=block
:IPSec Filter Definitions
netsh ipsec static add filter filterlist="Banned IPS" srcaddr=100.100.100.100 dstaddr=me description="Banned IPS" protocol=any srcport=0 dstport=0
:IPSec Rule Definitions
netsh ipsec static add rule name="Banned IP Rule" policy="Packet Filters - Your Web Host" filterlist="Banned IPS" kerberos=yes filteraction=Block
END COPY HERE.
This will create an ipsec policy and add a list of blocked ip addresses. You will need to open an mmc and add the "IP Security Policies" snapin to assign the policy to your server. From that point you can run the command:
"netsh ipsec static add filter filterlist="Banned IPS" srcaddr=PUT.BANNED.IP.HERE dstaddr=me description="Banned IPS" protocol=any srcport=0 dstport=0"
from a command line with the ip you want to ban and it will be banned.
Start copy HERE
REM © Microsoft Corporation 1997-2003
REM Packet Fileters for Server Hardening
REM
REM Name: PacketFilters-ServerHost.CMD
REM Version: 1.0
REM This CMD file provides the proper NETSH syntax for creating an IPSec Policy
REM that blocks all network traffic to an SMTP Bastion Host except for what is
REM explicitly allowed as described in the Windows 2003 Server Solution Guide.
REM Please read the entire guide before using this CMD file.
REM Revision History
REM 0000 - Original March 21, 2003
REM 0001 - Original April 16, 2003
:IPSec Policy Definition
netsh ipsec static add policy name="Packet Filters - Your Web Host" description="Server Hardening Policy" assign=no
:IPSec Filter List Definitions
netsh ipsec static add filterlist name="Banned IPS" description="Server Hardening"
:IPSec Filter Action Definitions
netsh ipsec static add filteraction name=SecPermit description="Allows Traffic to Pass" action=permit
netsh ipsec static add filteraction name=Block description="Blocks Traffic" action=block
:IPSec Filter Definitions
netsh ipsec static add filter filterlist="Banned IPS" srcaddr=100.100.100.100 dstaddr=me description="Banned IPS" protocol=any srcport=0 dstport=0
:IPSec Rule Definitions
netsh ipsec static add rule name="Banned IP Rule" policy="Packet Filters - Your Web Host" filterlist="Banned IPS" kerberos=yes filteraction=Block
END COPY HERE.
This will create an ipsec policy and add a list of blocked ip addresses. You will need to open an mmc and add the "IP Security Policies" snapin to assign the policy to your server. From that point you can run the command:
"netsh ipsec static add filter filterlist="Banned IPS" srcaddr=PUT.BANNED.IP.HERE dstaddr=me description="Banned IPS" protocol=any srcport=0 dstport=0"
from a command line with the ip you want to ban and it will be banned.
Please check it out my post regarding to Full Windows Free Server Firewall with Brute Force Detection in the Hows To and Windows Security Boards
Thanks
Claudio
Thanks
Claudio
Could you use that to prevent ddos attacks? I get attacked almost daily and the Ddos bots hostnames end with .jp
Could i block *.jp hostname through that?
thanks.
Could i block *.jp hostname through that?
thanks.
Yes, you should be able to block using that method.
QUOTE (cjwilson99 @ Jan 28 2005, 12:55 PM) 
copy this and pasted it to a text file and change the extension to cmd. Change the 100.100.100.100 address to the address you want to block.
Start copy HERE
REM © Microsoft Corporation 1997-2003
REM Packet Fileters for Server Hardening
REM
REM Name: PacketFilters-ServerHost.CMD
REM Version: 1.0
REM This CMD file provides the proper NETSH syntax for creating an IPSec Policy
REM that blocks all network traffic to an SMTP Bastion Host except for what is
REM explicitly allowed as described in the Windows 2003 Server Solution Guide.
REM Please read the entire guide before using this CMD file.
REM Revision History
REM 0000 - Original March 21, 2003
REM 0001 - Original April 16, 2003
:IPSec Policy Definition
netsh ipsec static add policy name="Packet Filters - Your Web Host" description="Server Hardening Policy" assign=no
:IPSec Filter List Definitions
netsh ipsec static add filterlist name="Banned IPS" description="Server Hardening"
:IPSec Filter Action Definitions
netsh ipsec static add filteraction name=SecPermit description="Allows Traffic to Pass" action=permit
netsh ipsec static add filteraction name=Block description="Blocks Traffic" action=block
:IPSec Filter Definitions
netsh ipsec static add filter filterlist="Banned IPS" srcaddr=100.100.100.100 dstaddr=me description="Banned IPS" protocol=any srcport=0 dstport=0
:IPSec Rule Definitions
netsh ipsec static add rule name="Banned IP Rule" policy="Packet Filters - Your Web Host" filterlist="Banned IPS" kerberos=yes filteraction=Block
END COPY HERE.
This will create an ipsec policy and add a list of blocked ip addresses. You will need to open an mmc and add the "IP Security Policies" snapin to assign the policy to your server. From that point you can run the command:
"netsh ipsec static add filter filterlist="Banned IPS" srcaddr=PUT.BANNED.IP.HERE dstaddr=me description="Banned IPS" protocol=any srcport=0 dstport=0"
from a command line with the ip you want to ban and it will be banned.
Start copy HERE
REM © Microsoft Corporation 1997-2003
REM Packet Fileters for Server Hardening
REM
REM Name: PacketFilters-ServerHost.CMD
REM Version: 1.0
REM This CMD file provides the proper NETSH syntax for creating an IPSec Policy
REM that blocks all network traffic to an SMTP Bastion Host except for what is
REM explicitly allowed as described in the Windows 2003 Server Solution Guide.
REM Please read the entire guide before using this CMD file.
REM Revision History
REM 0000 - Original March 21, 2003
REM 0001 - Original April 16, 2003
:IPSec Policy Definition
netsh ipsec static add policy name="Packet Filters - Your Web Host" description="Server Hardening Policy" assign=no
:IPSec Filter List Definitions
netsh ipsec static add filterlist name="Banned IPS" description="Server Hardening"
:IPSec Filter Action Definitions
netsh ipsec static add filteraction name=SecPermit description="Allows Traffic to Pass" action=permit
netsh ipsec static add filteraction name=Block description="Blocks Traffic" action=block
:IPSec Filter Definitions
netsh ipsec static add filter filterlist="Banned IPS" srcaddr=100.100.100.100 dstaddr=me description="Banned IPS" protocol=any srcport=0 dstport=0
:IPSec Rule Definitions
netsh ipsec static add rule name="Banned IP Rule" policy="Packet Filters - Your Web Host" filterlist="Banned IPS" kerberos=yes filteraction=Block
END COPY HERE.
This will create an ipsec policy and add a list of blocked ip addresses. You will need to open an mmc and add the "IP Security Policies" snapin to assign the policy to your server. From that point you can run the command:
"netsh ipsec static add filter filterlist="Banned IPS" srcaddr=PUT.BANNED.IP.HERE dstaddr=me description="Banned IPS" protocol=any srcport=0 dstport=0"
from a command line with the ip you want to ban and it will be banned.
Has anybody else tried this script? I am having multiple and constant hack attempts from all over the world on my machine by by a specific group (not range) of IP's. This would be perfect for blocking them.
Thanks in advanced.
The default windows 2003 firewall isn't that nice .
Basically, the script above is only configuring an IPSEC policy to drop traffic to/from specific IPs to any port destination to/from the local host. For most users, it is probably easier to configure an IPSEC policy using the Local Security Policy MMC snap-in with the policy wizard. The 'netsh' utility definitely makes some IPSEC configuration tasks easier, especially with regards to automation and the application of larger filters.
With regards to doing brute force / denial of service detection with IPSEC, something would normally have to be scripted that would do a connection comparison and add a filter to an existing IPSEC policy based on the results you are looking for. We have done several custom setups like this in the past. If you are interested in us doing this for you, open a ticket through Orbit so we can provide you with a quote.
With regards to doing brute force / denial of service detection with IPSEC, something would normally have to be scripted that would do a connection comparison and add a filter to an existing IPSEC policy based on the results you are looking for. We have done several custom setups like this in the past. If you are interested in us doing this for you, open a ticket through Orbit so we can provide you with a quote.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.