Configuring Tcpip Packet Filters

One of the most useful features in RRAS is its ability to selectively filter TCP/IP packets in both directions. You can construct filters that allow or deny traffic into or out of your network based on rules that specify source and destination addresses and ports. The basic idea behind packet filtering is simple: You specify filter rules and incoming packets are measured against those rules. You have two choices: Accept all packets except those prohibited by a rule or drop all packets except those permitted by a rule.

Though Windows Firewall offers packet filtering as of Windows Server 2003 Service Pack 1, you cannot install Windows Firewall with Routing and Remote Access. Therefore you'll need to use a different firewall if you have Routing and Remote Access enabled in Windows Server 2003. For more information, see cab1eguy/cg0605.mspx.

Filters are normally used to block out undesirable traffic. In general, the idea is to keep out packets that your machines shouldn't see. For example, you could configure a packet filter that would block all packets to a web server except those on TCP ports 80 and 443.

On the other hand, you could just as easily create a filter that blocks all outgoing packets on the ports used by the MSN and AOL instant messaging tools. Another example (and one that might be more helpful) is the use of filters for a PPTP or L2TP server; these filters screen out everything except VPN traffic so that you can expose a Windows Server 2003 VPN server without fear of compromise.

Filters are associated with a particular interface; the filters assigned to one interface are totally independent of those on all other interfaces, and inbound and outbound filters are likewise separate. You create and remove filters by using the Input Packet Filters and Output Packet Filters buttons on the General tab of the Local Area Network Properties dialog box (refer back to Figure 9.6). The mechanics of working with the filters are identical; just remember that you create inbound filters to screen traffic coming to the interface and outbound filters to screen traffic going back out through that interface.

To create a filter, find the interface on which you want the filter and then open its Properties dialog box. Click the appropriate packet filter button and you'll see the Inbound Filters dialog box (Figure 9.25).

FIGURE 9.25 The Inbound Filters dialog box

FIGURE 9.25 The Inbound Filters dialog box

This dialog box has the following six salient parts:

■ The Receive All Packets Except Those That Meet The Criteria Below and the Drop All Packets Except Those That Meet The Criteria Below radio buttons control what this filter does. To make a filter that excludes only those packets you specify, select the Receive All Packets Except Those That Meet The Criteria Below radio button. To do the opposite, and accept only those packets that meet your rule, select the Drop All Packets Except Those That Meet The Criteria Below radio button. Note that these buttons will be inactive until you create a filter rule.

■ The Filters list, which is initially empty, shows you which filters are defined on this interface. Each filter's entry in the list shows you the source address and mask, the destination address and mask, and the protocol, port, and traffic type specified in the rule.

■ You can add, edit, and remove filters using the New, Edit, and Delete buttons.

To create a filter, click the New button and you'll see the Add IP Filter dialog box (Figure 9.26).

The conditions you specify here must all be true to trigger the rule. For example, if you specify both the source and destination addresses, only traffic from the defined source to the defined destination will be filtered.

FIGURE 9.26 The Add IP Filter dialog box

Add IP Filter


W Source network

IP addiess:

1 10 . 10 . 0 .

Subnet mask:

I 255 . 255 . 0 .


r Destination network

IP address:

Subnet mask:


| TCP [established]

Source port:


Destination port:


Cancel |

Follow these steps to fill out the Add IP Filter dialog box:

■ To create a filter that blocks packets by their origin or source address, check the Source Network checkbox and supply the IP address and subnet mask for the source you want to block.

■ To create a filter that blocks according to destination, check the Destination Network checkbox and fill in the appropriate address and subnet mask.

■ To filter by protocol, choose the protocol you want to block:

■ Any, which blocks everything

■ Other, with a fill-in field for the protocol

For each of these protocols, you'll have to enter some additional information; for example, if you select TCP, you have to specify the source or destination port numbers (or both), whereas for Other, you'll have to enter a protocol number (more on that in Exercise 9.5).

Once you've specified the filter you want, click the OK button and you'll see it in the filter list. Filters go into effect as soon as you close the interface's Properties dialog box; you can always go back and add, edit, or remove filters at any time.

Was this article helpful?

0 0

Post a comment