Has anyone had any gottchyas on tcp/ip filtering?

[schase]

First time I've tried to do this.

I checked Enable TCP/IP Filtering (all adapters). under TCP clicked permit only - and added various web ports (80,110,53,25,etc), added 53 also under UDP. Clicked ok and rebooted.

Could not browse out to the internet, external port scan only showed 1 of the 7 or so ports I opened. I could ping an external IP addy - but not an external domain name - so obviously DNS was blocked as well.

I also permitted tcp/udp/icmp for IP Protocols or left IP Protocals to permit all.

Anyone run into this where it just blocks?

Stuart

 

[elmurado]

Sorry mate-what was this on? Router? Windows firewall?

 

[schase]

hey, Sorry, on windows server 2003, TCP/IP Filtering on the Nic itself.

Stuart

 

[basst]

TCP/IP filtering applies to ALL NICS in the computer if you configure filtering this way.

Also filtering is only one-way - Incoming traffic only is filtered not outgoing.

 

[schase]

Hi Basst,

Right, what the situation was is everything is getting blocked - incoming and outgoing despite being properly setup.

Stuart

 

[elmurado]

And if you turned this off-does traffic go both ways? Or do you have another layer that might be causing probs?

 

[schase]

turning it off shoots traffic right on through. No other layers or filtering on anything.

Stuart

 

[basst]

What settings did you configure?

 

[schase]

I checked Enable TCP/IP Filtering (all adapters). under TCP clicked permit only - and added various web ports (80,110,53,25,etc), added 53 also under UDP. Clicked ok and rebooted.

Could not browse out to the internet, external port scan only showed 1 of the 7 or so ports I opened. I could ping an external IP addy - but not an external domain name - so obviously DNS was blocked as well.

I also tried permitting tcp/udp/icmp for IP Protocols or left IP Protocals to permit all.


Stuart

 

[elmurado]

Whay happens when you ping the loopback?
And which port is shown as open? Is it just the first port in the list on the config page?

 

[schase]

I didn't try pinging the loopback - but where I can ping an outside IP Address I'd assume loopback would also work - i'll have to try it tomorrow.

Interestingly enough - port 110 showed as open, it was middle of the list.

Stuart

 

[elmurado]

Can you telnet out on 110 and 25? ie to your mail server?

 

[basst]

Try running command "netsh diag gui" without the quotes. This should do a full check of your Network environment and report any problems.

 

[schase]

can ping loopback okay.

Running the network diagnostic everything passes.

IPEnabled = true
IPFilterSecurityEnabled = True
IPSecPermitIPProtocols = 0
IPSecPermitTCPPorts = 21,25,53,80,110,143,443
IPSecPermitUDPPorts = 53

I can telnet out on 25, 110 and 143. Maybe it's just dns that's getting blocked then.

irritating either way.



Stuart