Im a Linux/Unix guy trying to survive with windows computers sometimes. I dont
like these dumb firewalls for windows that ask stupid questions and annoys me.
A firewall should just work and nothing else. It shouldnt make coffee for you
either. It should work just like in Linux.
There was very little information on the net about using the windows built in
firewall, like there almost wasnt anyone in the whole world that actually used
it! Im talking about windows 2000 now.
The reasons that I felt that I needed a firewall is because I got somewhat
paranoid at work and didnt want anyone to connect to my windows ports.
(I use Linux and Solaris at work, but got a Windows computer also)
There is another reason also, at home, I got my own IP-range with all ports
open to the internet. I dont trust the windows ports so I want to firewall them
but, like I said, I hate these lame GUI firewalls so I wanted something else.
Default windows can do some firewalling but its doing it wrong. You can only
choose to ALLOW a FEW ports and DENY the rest. To allow ALL ports EXCEPT a FEW
isnt possible. That's so STUPID.
After some time and tweaking I got it to work! Im publishing this on the web
so other people can use this instead of stupid GUI firewalls in windows.
And for the 1% of the windows users that doesnt like piracy its perfect,
because it doesnt cost anything like GUI firewalls mostly do. Its verified that
the firewall works. It drops the packets and not rejects them, if you wonder.
This is an scan of one windows computer running windows 2000. Its normal that
an udp scans says open/filtered about the ports that are closed. They are
in fact closed.
TCP scan:
Interesting ports on bad-desire.flashdance.cx (194.145.250.74):
(The 65532 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
MAC Address: 00:0C:29:2A:29:49 (VMware)
Too many fingerprints match this host to give specific OS details
UDP scan:
Interesting ports on bad-desire.flashdance.cx (194.145.250.74):
(The 65531 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
137/udp open|filtered netbios-ns
138/udp open|filtered netbios-dgm
445/udp open|filtered microsoft-ds
500/udp open|filtered isakmp
MAC Address: 00:0C:29:2A:29:49 (VMware)
Too many fingerprints match this host to give specific OS details
I noticed that when you install ipsecpol it will actully OPEN 500/udp. So
because of that I firewall that also. However, I doubt there is any security
problem to not firewall it.
You will have some other ports open on an windows installation by default.
You should go to admin tools in the controlpanel and then start services.
There you should turn these OFF and DISABLE them:
Distributed Transaction Coordinator
Messenger
Task scheduler
TCP/IP NetBIOS Helper Service
... Thats was all.
An example cfg how you should write your rules:
firewall-win2k.bat.txt Win2K version
firewall-winxp.bat.txt WinXP version
(rename it and remove .txt)
For Win2K you must install ipsecpol to get it to work.
Download it from me: ipsecpol_setup.exe (148k)
Download it from microsoft: ipsecpol_setup.exe (148k)
For WinXP you must install ipseccmd to get it to work.
Download it from me: ipseccmd.exe (72k)
Put it in "C:\Program Files\Support Tools"
Download not available from Microsoft. To get it, click on setup.exe
in \SUPPORT\TOOLS on your Win XP CD. You must select a complete installation
to get ipseccmd. Now (2005-07-21) I have even tested the Win XP script myself,
it does work but you have to run it twice for some reason to get the ports
firewalled. Dunno why. And oh, you should turn off Win XP SP2 firewall for this
to work like it was intended.
Update 2009-10-08: ipseccmd.exe works in Windows 2003 Server 32 bit also.
Didnt find it on the install CD. But you can download it above.
This text was written 2004-07-19 by iocc. It was slightly updated 2005-07-21.
And even more updated 2009-10-08.
|