[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[no subject]

Should be minimal, since you're only restricting incoming
communication.  That being said, test and let me know!

> 2) Where can the cool script that you generated be put so that protection is
> automagically invoked when the machine is booted?

IIRC, this script is making changes to the registry, so you run it once,
and it stays set.

> 3) It seems that the scripts only block certain ports. Is it possible to
> specify blackage of all incoming ports (i.e. [*=0:*,TCP]?) Never mind I found
> it here:

Thanks for the info.

> ---------------------------------------------
&gt; <a  rel="nofollow" href="http://win2k.uwaterloo.ca/IP_Security/Servers_IPSEC.htm";>http://win2k.uwaterloo.ca/IP_Security/Servers_IPSEC.htm</a>
&gt; 
&gt; example:
&gt; ipsecpol -x -w reg -p &quot;UW DC Policy&quot; -r &quot;TCP Blocked&quot; -n BLOCK  -f *+0::TCP
&gt; #The first blocks all TCP traffic to and from anywhere to the server where 
&gt; #this is run.
&gt; 
&gt; A followup explanation of the filter specification:
&gt; 
&gt; Our Filter Explained:
&gt; 
&gt; '-f 129.97.*.*+0::TCP' defines a source mask of 129.97.*.* meaning from
&gt; anywhere on campus.
&gt; 
&gt; The '+' mirrors the filter meaning source to destination and destination to
&gt; source, [BAJ Note: use an '=' for a filter in a single direction]
&gt; 
&gt; The '0' defines our destination as the IP address of the workstation it's
&gt; defined on,
&gt; 
&gt; and the port controlled is all TCP since there is no number between the two
&gt; colons.
&gt; ---------------------------------------------
&gt; 
&gt;  
&gt; A bit overreaching, but gives enough information in order to tailor the
&gt; policy.
&gt; 
&gt; I see two possible configs:
&gt; 
&gt; 1) Machine on unprotected network. All incoming ports (including port 500)
&gt; closed. Would the machine function in this configuration?

Yes, with a possible problem in a domain configuration.  We had some
strange behavior when we blocked all incoming ports.  That's why there
is a hole for the local subnet for file and print sharing and RPC
traffic to the PDC &amp; File servers.  I didn't have a great deal of time
to work with it, so I left it as you see it.

&gt; 2) Machine on firewall protected network. Wat ports would need to be open 
&gt; in order to get ordinary windows authentication and sharing services?

Should be port 135 for the RPC stuff, then 445 (2000/XP only network),
or 139 for a WinNT/9x network.

&gt; Thanks for all the help Jonathan. Oh BTW the last name is Jeff, not Jeffy as
&gt; you have in your acknowlgement on your web page.

Oops! Typo corrected.

&gt; 
&gt; BAJ
&gt; _______________________________________________
&gt; Ale mailing list
&gt; Ale at ale.org
&gt; <a  rel="nofollow" href="http://www.ale.org/mailman/listinfo/ale";>http://www.ale.org/mailman/listinfo/ale</a>


-- 
Jonathan Glass
Systems Support Specialist II
Institute for Bioengineering &amp; Bioscience
Georgia Institute of Technology
Email: jonathan.glass at ibb.gatech.edu
Office: 404-385-0127
Fax: 404-894-2291


</pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<!--X-Follow-Ups-End-->
<!--X-References-->
<ul><li><strong>References</strong>:
<ul>
<li><strong><a name="00049" href="msg00049.html">[ale] Open Source Firewall for Windows 2000/XP?</a></strong>
<ul><li><em>From:</em> jonathan at xcorps.net (Jonathan Rickman)</li></ul></li>
<li><strong><a name="00050" href="msg00050.html">[ale] Open Source Firewall for Windows 2000/XP?</a></strong>
<ul><li><em>From:</em> jonathan.glass at ibb.gatech.edu (Jonathan Glass)</li></ul></li>
<li><strong><a name="00178" href="msg00178.html">[ale] Open Source Firewall for Windows 2000/XP?</a></strong>
<ul><li><em>From:</em> jonathan.glass at ibb.gatech.edu (Jonathan Glass)</li></ul></li>
<li><strong><a name="00181" href="msg00181.html">[ale] Open Source Firewall for Windows 2000/XP?</a></strong>
<ul><li><em>From:</em> esoteric at 3times25.net (Geoffrey)</li></ul></li>
<li><strong><a name="00183" href="msg00183.html">[ale] Open Source Firewall for Windows 2000/XP?</a></strong>
<ul><li><em>From:</em> jonathan.glass at ibb.gatech.edu (Jonathan Glass)</li></ul></li>
<li><strong><a name="00184" href="msg00184.html">[ale] Open Source Firewall for Windows 2000/XP?</a></strong>
<ul><li><em>From:</em> esoteric at 3times25.net (Geoffrey)</li></ul></li>
<li><strong><a name="00185" href="msg00185.html">[ale] Open Source Firewall for Windows 2000/XP?</a></strong>
<ul><li><em>From:</em> jonathan.glass at ibb.gatech.edu (Jonathan Glass)</li></ul></li>
<li><strong><a name="00186" href="msg00186.html">[ale] Open Source Firewall for Windows 2000/XP?</a></strong>
<ul><li><em>From:</em> jonathan.glass at ibb.gatech.edu (Jonathan Glass)</li></ul></li>
<li><strong><a name="00187" href="msg00187.html">[ale] Open Source Firewall for Windows 2000/XP?</a></strong>
<ul><li><em>From:</em> byron at cc.gatech.edu (Byron A Jeff)</li></ul></li>
</ul></li></ul>
<!--X-References-End-->
<!--X-BotPNI-->
<ul>
<li>Prev by Date:
<strong><a href="msg00187.html">[ale] Open Source Firewall for Windows 2000/XP?</a></strong>
</li>
<li>Next by Date:
<strong><a href="msg00189.html">[ale] iTunes Server under Linux</a></strong>
</li>
<li>Previous by thread:
<strong><a href="msg00187.html">[ale] Open Source Firewall for Windows 2000/XP?</a></strong>
</li>
<li>Next by thread:
<strong><a href="msg00051.html">[ale] Open Source Firewall for Windows 2000/XP?</a></strong>
</li>
<li>Index(es):
<ul>
<li><a href="maillist.html#00188"><strong>Date</strong></a></li>
<li><a href="threads.html#00188"><strong>Thread</strong></a></li>
</ul>
</li>
</ul>

<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
</body>
</html>