Editing Windows firewall ruleset for 2003 Std ?

Editing Windows firewall ruleset for 2003 Std ?
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Applications Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Editing Windows firewall ruleset for 2003 Std ? Paul 08-18-2005
Posted by Paul on August 18, 2005, 11:41 am
If you were  Registered and logged in, you could reply and use other advanced thread options
I have an application that sends http request packets to a microsoft
loopback adapter on 172.31.1.1 (not 127.0.0.1 ), the response is then
sent out via the main interface on 172.31.1.2. The application is
actually an external loadbalancer doing low level MAC re-writing and
needing the answering machine to accept the IP address of 172.31.1.1.

This works perfectly until I turn on the windows firewall. I've
configured both the loopback and external interface to accept
connections on port 80 and can connect and get responses from both
ports on the command line. I found and used the microsoft netsh tool to
turn on logging for the firewall and found that the response packets
are being dropped on their way back out to the calling IP. So the
loopback is still recieving them and IIS is dealing with them and
sending them out through the external interface. The firewall is then
dropping them, I assume for spoofing.

The message in the firewall log is

DROP TCP 172.31.1.1 123.123.123.123 80 dest etc

So I think the firewall is dropping the outbound packets because they
are pretending to originate from the loopback IP but coming from the
external interface.

My question is how do I set the firewall to allow outbound packets on
ther external interface but from the IP of the loopback. The critical
thing is that I can't add the loopback IP to the external interface
because I need it to not respond to ARP requests while the main IP
should respond to ARP requests. The only way I know of to do this is to
have them on different interfaces.

thanks in advance

Paul
--
PrintWhatYouThink - Slogan tshirts for the individual
http://www.printwhatyouthink.co.uk/


Posted by David Beder [MSFT] on August 23, 2005, 4:26 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Yeah, the anti-spoofing features are kicking in. There might not be anything
you can do at this point with Windows Firewall. We're considering the
ability to disable the anti-spoofing, but I have no idea when that will make
it to light.

--
David
Microsoft Windows Networking
This posting is provided "AS IS" with no warranties, and confers no rights.


>I have an application that sends http request packets to a microsoft
> loopback adapter on 172.31.1.1 (not 127.0.0.1 ), the response is then
> sent out via the main interface on 172.31.1.2. The application is
> actually an external loadbalancer doing low level MAC re-writing and
> needing the answering machine to accept the IP address of 172.31.1.1.
>
> This works perfectly until I turn on the windows firewall. I've
> configured both the loopback and external interface to accept
> connections on port 80 and can connect and get responses from both
> ports on the command line. I found and used the microsoft netsh tool to
> turn on logging for the firewall and found that the response packets
> are being dropped on their way back out to the calling IP. So the
> loopback is still recieving them and IIS is dealing with them and
> sending them out through the external interface. The firewall is then
> dropping them, I assume for spoofing.
>
> The message in the firewall log is
>
> DROP TCP 172.31.1.1 123.123.123.123 80 dest etc
>
> So I think the firewall is dropping the outbound packets because they
> are pretending to originate from the loopback IP but coming from the
> external interface.
>
> My question is how do I set the firewall to allow outbound packets on
> ther external interface but from the IP of the loopback. The critical
> thing is that I can't add the loopback IP to the external interface
> because I need it to not respond to ARP requests while the main IP
> should respond to ARP requests. The only way I know of to do this is to
> have them on different interfaces.
>
> thanks in advance
>
> Paul
> --
> PrintWhatYouThink - Slogan tshirts for the individual
> http://www.printwhatyouthink.co.uk/
>



Similar ThreadsPosted
Windows 2003 Firewall & FTP December 6, 2006, 3:31 pm
Windows 2003 -Configure Firewall- September 9, 2005, 4:53 am
Windows 2003 Firewall intermittently blocks VPN October 19, 2005, 1:06 am
Windows 2003 server disaster re: firewall and RRA December 8, 2006, 8:24 am
Enabling windows firewall on 2003 server remotely December 27, 2005, 3:39 pm
Windows 2003 NIC Firewall Settings - How to add port ranges May 30, 2008, 6:44 am
Windows 2003 firewall - limiting the range of dynamic RPC ports February 17, 2006, 4:04 am
Windows Update fails on Windows 2003 server June 23, 2005, 7:27 pm
Windows 2003/Windows XP security question November 18, 2006, 12:34 pm
Trust between Windows 2003 and Windows NT July 12, 2005, 12:52 am

The site map in XML format XML site map

Contact Us | Privacy Policy