can anyone suggest a good software firewall? in the past, i have used sygate but that can be a pain becase it always sets to block all traffic after its installed so i would have to call support and have them unblock me.
one of the SM guys on here suggested RRAS on windows 2003 but i tried that had had no luck. i even talked to SM support and they weren't able to figure it out either.
so aside from paying for the hardware firewall, is there a good simple solution out there?
Full Version: software firewall?
RRAS is a simple solution, IPSEC is a good solution. Why doesn't RRAS work for you? It's not the most powerful firewall, but it works and does the job.
Other than that, you would have to buy a commercial firewall solution.
Other than that, you would have to buy a commercial firewall solution.
IPSEC on Windows 2003 is the most analgous to the linux firewall utility. What's that interface, iptables I think? Anyway, it's not quite as powerful, but for most applications it works just fine.
one of the problems that i ran into with RRAS was that SM says they need us to allow inbound and outbound traffic on all ports (TCP, UDP, & ICMP 1-65535) from 12.96.160/24 (12.96.160.*) in order to allow for proper management by SM. and when i asked them how to set that up with RRAS they weren't really able to give me a good answer.
here is the transcript of the support ticket:
don't get me wrong - i am not putting this up there to bash SM support in any way - they have actually been very helpful with many other issues for me. far better then other providers i have dealt with - i am just posting this so that we can possibly figure out how to properly do this.
any help would be greatly appreciated. at some point when i have a few more clients i will just get the hardware firewall but i just cant swing it right now and i don't want to go totally unprotected.
here is the transcript of the support ticket:
CODE
02/19/2005 16:44:25
Details: before purchasing my server i posted in the presales forum asking about a firewall and it was recommended to me by a SM staff member(klaude) that I use RRAS for my firewall.
however in orbit under "Managed Services Setup" it says that we are required to allow inbound and outbound traffic on all ports (TCP, UDP, & ICMP 1-65535) from 12.96.160/24 (12.96.160.*), if we want you to properly manage our server.
so the problem with this is i don't see how to open ports for a range of IP addresses using RRAS on windows 2003.
see http://forums.servermatrix.com/viewtopic.php?p=106770#106770
is there something I am missing? is there a way to do this with RRAS that I don't see? if not, what else do you recommend for a software firewall?
(llawson-02/18/2005 12:19:43):
Have you added a rule to the BASIC/NAT firewall under RRAS? When you create one, you will need allow incoming packets from 12.96.160.*. You will also want to create a deny incoming packets for the ip addresses you don't want accessing the server.
--------------------------------------
(bdee1-02/18/2005 12:36:54):sorry i am kind of new to this - According to the directions on the howto section of your message board you say that to set up the rules:
1) open Routing and Remote Access
2) expand the servername
3) expand IP Routing
4) Right click NAT/Basic Firewall and choose New Interface
5) click the Services and Ports Tab
6) click Add
7) Enter a name for the new Service/Rule
8) Choose "On this Interface"
9) Choose TCP or UDP
10) enter incoming port
11) enter Private Address
12) enter outgoing port
now the problem with what you told me is that this only allows me to specify one incoming and one outgoing port. so how would i specify All Ports? also it does not allow me to use a wildcard in the last part of the Private Address Field (12.96.160.*)?
so am i doing this wrong? am i looking in the wrong place?
(llawson-02/18/2005 14:23:32):
It should allow the wildcard * in ports and the network address 12.96.160.0/24 (if it does not allow 12.96.160.*).
Make one entry for TCP and another one for UDP.
--------------------------------------
(bdee1-02/18/2005 18:37:20):the "private Address" field which takes the IP address will not accept * OR 0/24 for that last part of the IP address. and the port fields do not allow me to enter a *.
(llawson-02/19/2005 10:13:30):
My apologies. Microsoft in http://support.microsoft.com/default.aspx?scid=kb;en-us;254018 says to "The input filters are set up through the RRAS console. In the RRAS console, click General under IP Routing. In the right window, double-click the external card and click Input Filters."
The rest of the article details how to set these Input Filters up.
It is not in NAT/Basic Firewall but in General. When you enter the network, the last octet should be 0 in both network and the netmask (ie 12.96.160.0 and 255.255.255.0).
--------------------------------------
(bdee1-02/19/2005 15:53:00):OK so just to confirm -
1) go into Routing and Remote Access
2) expand IP routing
3) click on General
4) Double click "Local Area Connection"
5) Click the Inbound Filters Button
6) Select "Drop all Packets Except..."
7) click "New..." button
8) check the "source Network" checkbox
9) enter 12.96.160.0 for IP Address
10) enter 255.255.255.0 for netmask
11) do i do the same for Destination network?
please confirm this and let me know if i should do source and destination network with the IPs you gave me.
thanks for all your help!!
--------------------------------------
(bdee1-02/19/2005 16:00:54):i just tried doing this and i think i locked myself out - i no longer have RDP access.
could you please disable RRAS service?
(plentz-02/19/2005 16:06:15):
Doing this now...
(plentz-02/19/2005 16:20:04):
I have turned the rras on this server and am able to to login with Remote Desktop now.
--------------------------------------
(bdee1-02/19/2005 16:34:54):i am really sorry bit i just locked myself out again - i went into RRAS - removed the rule that caused me to be locked out and then started the service again.
and i am not sure why but it locked me out.
that this point i think i give up on RRAS - if i really want a firewall i may just get a hardware firewall sometime in the future.
could you please disable RRAS again for me. once i am back in i will just disable the RRAS service and tel it not to start at system startup
thanks again.
--------------------------------------
(bdee1-02/19/2005 16:36:20):ok sorry to be a pain but somehow it looks like i am back in - it looks like it just temporarily disabled RDP while the service was starting. so i am all set.
(bmcadams-02/19/2005 16:44:25):
Wonderful to hear!
I am closing this ticket at this time.
Please let us know if you require any further assistance. Thank you for choosing ServerMatrix!
Details: before purchasing my server i posted in the presales forum asking about a firewall and it was recommended to me by a SM staff member(klaude) that I use RRAS for my firewall.
however in orbit under "Managed Services Setup" it says that we are required to allow inbound and outbound traffic on all ports (TCP, UDP, & ICMP 1-65535) from 12.96.160/24 (12.96.160.*), if we want you to properly manage our server.
so the problem with this is i don't see how to open ports for a range of IP addresses using RRAS on windows 2003.
see http://forums.servermatrix.com/viewtopic.php?p=106770#106770
is there something I am missing? is there a way to do this with RRAS that I don't see? if not, what else do you recommend for a software firewall?
(llawson-02/18/2005 12:19:43):
Have you added a rule to the BASIC/NAT firewall under RRAS? When you create one, you will need allow incoming packets from 12.96.160.*. You will also want to create a deny incoming packets for the ip addresses you don't want accessing the server.
--------------------------------------
(bdee1-02/18/2005 12:36:54):sorry i am kind of new to this - According to the directions on the howto section of your message board you say that to set up the rules:
1) open Routing and Remote Access
2) expand the servername
3) expand IP Routing
4) Right click NAT/Basic Firewall and choose New Interface
5) click the Services and Ports Tab
6) click Add
7) Enter a name for the new Service/Rule
8) Choose "On this Interface"
9) Choose TCP or UDP
10) enter incoming port
11) enter Private Address
12) enter outgoing port
now the problem with what you told me is that this only allows me to specify one incoming and one outgoing port. so how would i specify All Ports? also it does not allow me to use a wildcard in the last part of the Private Address Field (12.96.160.*)?
so am i doing this wrong? am i looking in the wrong place?
(llawson-02/18/2005 14:23:32):
It should allow the wildcard * in ports and the network address 12.96.160.0/24 (if it does not allow 12.96.160.*).
Make one entry for TCP and another one for UDP.
--------------------------------------
(bdee1-02/18/2005 18:37:20):the "private Address" field which takes the IP address will not accept * OR 0/24 for that last part of the IP address. and the port fields do not allow me to enter a *.
(llawson-02/19/2005 10:13:30):
My apologies. Microsoft in http://support.microsoft.com/default.aspx?scid=kb;en-us;254018 says to "The input filters are set up through the RRAS console. In the RRAS console, click General under IP Routing. In the right window, double-click the external card and click Input Filters."
The rest of the article details how to set these Input Filters up.
It is not in NAT/Basic Firewall but in General. When you enter the network, the last octet should be 0 in both network and the netmask (ie 12.96.160.0 and 255.255.255.0).
--------------------------------------
(bdee1-02/19/2005 15:53:00):OK so just to confirm -
1) go into Routing and Remote Access
2) expand IP routing
3) click on General
4) Double click "Local Area Connection"
5) Click the Inbound Filters Button
6) Select "Drop all Packets Except..."
7) click "New..." button
8) check the "source Network" checkbox
9) enter 12.96.160.0 for IP Address
10) enter 255.255.255.0 for netmask
11) do i do the same for Destination network?
please confirm this and let me know if i should do source and destination network with the IPs you gave me.
thanks for all your help!!
--------------------------------------
(bdee1-02/19/2005 16:00:54):i just tried doing this and i think i locked myself out - i no longer have RDP access.
could you please disable RRAS service?
(plentz-02/19/2005 16:06:15):
Doing this now...
(plentz-02/19/2005 16:20:04):
I have turned the rras on this server and am able to to login with Remote Desktop now.
--------------------------------------
(bdee1-02/19/2005 16:34:54):i am really sorry bit i just locked myself out again - i went into RRAS - removed the rule that caused me to be locked out and then started the service again.
and i am not sure why but it locked me out.
that this point i think i give up on RRAS - if i really want a firewall i may just get a hardware firewall sometime in the future.
could you please disable RRAS again for me. once i am back in i will just disable the RRAS service and tel it not to start at system startup
thanks again.
--------------------------------------
(bdee1-02/19/2005 16:36:20):ok sorry to be a pain but somehow it looks like i am back in - it looks like it just temporarily disabled RDP while the service was starting. so i am all set.
(bmcadams-02/19/2005 16:44:25):
Wonderful to hear!
I am closing this ticket at this time.
Please let us know if you require any further assistance. Thank you for choosing ServerMatrix!
don't get me wrong - i am not putting this up there to bash SM support in any way - they have actually been very helpful with many other issues for me. far better then other providers i have dealt with - i am just posting this so that we can possibly figure out how to properly do this.
any help would be greatly appreciated. at some point when i have a few more clients i will just get the hardware firewall but i just cant swing it right now and i don't want to go totally unprotected.
Yep, that's the limitation of RRAS - you can't do ranges. You'll need to go to IPSEC for that, somebody posted a bunch of scripts recently that will do everything you need, do a search for it, it's about 2 weeks old I think.
Also, you will find with RRAS that if the service reloads or restarts when you hit Apply, you will lose your RDP connection. However, that's normal and RDP will reconnect automatically after a few seconds of you pulling your hair out
Also, you will find with RRAS that if the service reloads or restarts when you hit Apply, you will lose your RDP connection. However, that's normal and RDP will reconnect automatically after a few seconds of you pulling your hair out
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.