Kristiandg, you need to sniffer the network and decode the packets used by remote desktop.
With the info below you must be able to create a firewall profile for it.
Good luck!( You will need it
IP Protocol : The value entered here corresponds to the IP Protocol which is to be processed by this Firewall profile :- 1 for ICMP, 6 for TCP, 17 for UDP or 47 for GRE.
Match Offset : The offset into the packet (0 = first byte of IP packet) where checking commences for either a specific port number, a range of port numbers, or data.
Match Length : The number of bytes to check in the packet, from the Match Offset point, that are checked against the Match Data and Match Mask settings.
Notes : This field is to remind you what this entry is for. You must enter something in this field or the system will not allow you to save this filter.
Match Data : The values the data must equal once masked with the Match Mask.
Match Mask : This is the byte pattern which will be logically ANDed with the data in the packet from the offset point. The result of this process is then compared against the contents of the "Match Data" field.
Direction - Drop/In/Out/Bothway : The direction that data may take if matching this filter, see individual explanations below.
o Drop - no packets matching this may pass.
o In - allow new sessions into the private network.
o Out - allow sessions out to the Internet.
o Bothway - do both "In" and "Out".
In the example below the Match Mask is FFFF, this provides a single unique match.
IP Protocol = 17,
Match Offset = 20,
Match Length = 2,
Direction = Drop,
Match Data = 0088,
Match Mask = FFFF,
Notes = Drop NetBIOS.
Data -> 0087 -> 0000,0000,1000,0111
Mask -> FFFF -> 1111,1111,1111,1111
ANDed Result = 0000,0000,1000,0111 -> 0087
Match Data = 0088 -> Match data and ANDed Result are different, therefore we pass packet.
Data -> 0088 -> 0000,0000,1000,1000
Mask -> FFFF -> 1111,1111,1111,1111
ANDed Result = 0000,0000,1000,1000 -> 0088
Match Data = 0088 -> Match data and ANDed Result are the same, therefore we drop packet.
Data -> 0089 -> 0000,0000,1000,1001
Mask -> FFFF -> 1111,1111,1111,1111
ANDed Result = 0000,0000,1000,1001 -> 0089
Match Data = 0088 -> Match data and ANDed Result are different, therefore we pass packet.
Therefore from the above any UDP packet with bytes 21 & 22 of the packet set to "0088" ONLY will be dropped, all other packets will be passed.
To extend this to cover a range of matches you can set the mask to be no specific, for example "FFFC". Here is an example similar to that above except that the Match Mask is "FFFC" and Match Data is "0084".
IP Protocol = 17,
Match Offset = 20,
Match Length = 2,
Direction = Drop,
Match Data = 0084,
Match Mask = FFFC,
Notes = Drop range of ports.
Data -> 0080 -> 0000,0000,1000,0000
Mask -> FFFC -> 1111,1111,1111,1100
ANDed Result = 0000,0000,1000,0011 -> 0083
Match Data = 0084 -> Match data and ANDed Result are different, therefore we pass packet.
Data -> 0081 -> 0000,0000,1000,0001
Mask -> FFFC -> 1111,1111,1111,1100
ANDed Result = 0000,0000,1000,0010 -> 0082
Match Data = 0084 -> Match data and ANDed Result are different, therefore we pass packet.
Data -> 0082 -> 0000,0000,1000,0010
Mask -> FFFC -> 1111,1111,1111,1100
ANDed Result = 0000,0000,1000,0001 -> 0081
Match Data = 0084 -> Match data and ANDed Result are different, therefore we pass packet.
Data -> 0083 -> 0000,0000,1000,0011
Mask -> FFFC -> 1111,1111,1111,1100
ANDed Result = 0000,0000,1000,0000 -> 0080
Match Data = 0084 -> Match data and ANDed Result are different, therefore we pass packet.
Data -> 0084 -> 0000,0000,1000,0100
Mask -> FFFC -> 1111,1111,1111,1100
ANDed Result = 0000,0000,1000,0100 -> 0084
Match Data = 0084 -> Match data and ANDed Result are the same, therefore we drop packet.
Data -> 0085 -> 0000,0000,1000,0101
Mask -> FFFC -> 1111,1111,1111,1100
ANDed Result = 0000,0000,1000,0100 -> 0084
Match Data = 0084 -> Match data and ANDed Result are the same, therefore we drop packet.
Data -> 0086 -> 0000,0000,1000,0110
Mask -> FFFC -> 1111,1111,1111,1100
ANDed Result = 0000,0000,1000,0100 -> 0084
Match Data = 0084 -> Match data and ANDed Result are the same, therefore we drop packet.
Data -> 0087 -> 0000,0000,1000,0111
Mask -> FFFC -> 1111,1111,1111,1100
ANDed Result = 0000,0000,1000,0100 -> 0084
Match Data = 0084 -> Match data and ANDed Result are the same, therefore we drop packet.
Data -> 0088 -> 0000,0000,1000,1000
Mask -> FFFC -> 1111,1111,1111,1100
ANDed Result = 0000,0000,1000,1011 -> 008B
Match Data = 0084 -> Match data and ANDed Result are different, therefore we pass packet.
Data -> 0089 -> 0000,0000,1000,1001
Mask -> FFFC -> 1111,1111,1111,1100
ANDed Result = 0000,0000,1000,1010 -> 008A
Match Data = 0084 -> Match data and ANDed Result are different, therefore we pass packet.
Data -> 008A -> 0000,0000,1000,1010
Mask -> FFFC -> 1111,1111,1111,1100
ANDed Result = 0000,0000,1000,1001 -> 0089
Match Data = 0084 -> Match data and ANDed Result are different, therefore we pass packet.
Data -> 008B -> 0000,0000,1000,1011
Mask -> FFFC -> 1111,1111,1111,1100
ANDed Result = 0000,0000,1000,1000 -> 0088
Match Data = 0084 -> Match data and ANDed Result are different, therefore we pass packet.
Data -> 008C -> 0000,0000,1000,1100
Mask -> FFFC -> 1111,1111,1111,1100
ANDed Result = 0000,0000,1000,1100 -> 008C
Match Data = 0084 -> Match data and ANDed Result are different, therefore we pass packet.
Data -> 008D -> 0000,0000,1000,1101
Mask -> FFFC -> 1111,1111,1111,1100
ANDed Result = 0000,0000,1000,1100 -> 008C
Match Data = 0084 -> Match data and ANDed Result are different, therefore we pass packet.
Data -> 008E -> 0000,0000,1000,1110
Mask -> FFFC -> 1111,1111,1111,1100
ANDed Result = 0000,0000,1000,1100 -> 008C
Match Data = 0084 -> Match data and ANDed Result are different, therefore we pass packet.
Data -> 008F -> 0000,0000,1000,1111
Mask -> FFFC -> 1111,1111,1111,1100
ANDed Result = 0000,0000,1000,1100 -> 008C
Match Data = 0084 -> Match data and ANDed Result are different, therefore we pass packet.
From the above calculations you can see that this new filter results in packets with bytes 21 & 22 set to 0084, 0085, 0086 & 0087 being dropped.
NOTE :- Please also note that if the Match Data had been set to 008C this would result in packets with bytes 21 & 22 set to 008C, 008D, 008E & 008F being dropped!
NIHIL NOVI SUB SOLE