Packet filtering on Windows 2000 made easy
This may be old news to you but to me the following was the answer to an old prayer of mine: It's possible to do packet filtering on Windows 2000 Server in the same way you do it on e.g. Linux with ipchains. While it's not a firewall as such, filtering out packets is still a lot better than leaving each and every port open to the outside world.
The key is to use
Start > Programs > Administrative tools > Routing and remote access
The first time you access this utility you'll be asked if it's OK to install and initialize this service - accept this.
Now click on IP Routing > General and double-click on the network interface that your server uses when connecting to the outside world.
Click on the "Input filters" button and click "Add" to setup the ports that you want to allow connectivity to.
Let's say that we want to accept FTP, DNS, HTTP and Windows Terminal Service access from the internet - the latter from our dedicated IP only.
After clicking "Add" you select "TCP" from the "Protocol" list and add "21" (FTP) in "Destination port". Click "OK" to acknowledge.
Note: Nothing is setup until you finish with "Apply" so you're not going to lock yourself out (unless you're *really* trigger happy... )
After adding the first rule you select "Drop all packets exept..." at the top of the window - this is not the default behaviour.
Now repeat the procedure for ports 53 (DNS) and 80 (HTTP).
Setting up access to TSC from a dedicated IP requires you to repeat the procedure above but in addition you'll have to add your dedicated IP to "Source address" with a "Source mask" of 255.255.255.255
Finally setup a last filter with "TCP (established)" as the only parameter - this ensures that established connections that run on other ports are OK.
Once you have cheked that everything is OK (you could setup a filter with your dedicated IP as "Source address" and no ports or protocols defined - that'll ensure full connectivity) you click "Apply" or "OK" - and then it's time to fire up nmap or another portscanner. You'll see that packets are dropped, not rejected, which means that portscanners are taking a very long time to scan the server - another bonus I guess...
Note: The filtering prevents pinging your server as well - while this is generally a good thing (portscanners may just proceed to the next server) it may also disrupt any service monitoring you may run. You'll have to allow ICMP packets in order to allow pinging of the server.
Again: I'm sorry if this is old news but to me it's the best thing since sliced bread and I thought I'd just share the knowledge in case someone could use it. ;-)
