Solved

IP security -- filtering TCP/UDP ports

Posted on 1998-03-28
37
596 Views
Last Modified: 2013-12-23
I'm the admin of a small NT network. There's these machines that I need to block access to certain ports to (including quake 27500 and maybe www 80).

So what I did was --- in the TCP/IP protocol tab, under "advanced", I clicked on "enable security" and configured it to allow certain port numbers (which I deemed necessary).

Now, the problem is ... I need DNS to work. It worked before I started mucking with the TCP security. Anyway, as according to RFC 1700, I included port 53 in the list of "allow"ed ports in both TCP and UDP. After rebooting, the stupid system refuses to resolve domain names properly.

Some other pointers that might help in the diagnosis are: I did enable port 23 and port 7 ... so telnet (from the test machine to my Linux box) and ping (both to and from the test machine) do work. my dns servers are big unix monsters 'upstream' from my domain. and dns works again if i disable the security and reboot.

Can you tell me why DNS won't work on NT with TCP security enabled but with TCP/UDP port 53 "allowed"? Has MS implemented some funky way of resolving domain names that circumvents the open standard? Most importantly, *how* do I go about getting this to WORK?
0
Comment
Question by:atan111
  • 17
  • 6
  • 5
  • +8
37 Comments
 

Author Comment

by:atan111
ID: 1571589
Edited text of question
0
 
LVL 32

Expert Comment

by:jhance
ID: 1571590
If I'm not mistaken, you need to enable traffic on ports 42, 43, and 53 to get DNS server to work.
0
 

Author Comment

by:atan111
ID: 1571591
actually, the entire list of ports i've already enabled traffic on so far are:

1,2,3,7,22,23,37,38,39,42,43,51,52,53,54,56 (decided to enable a few more around the 50 area to test it), 80, 88, 92, 6000-6020 (for x-windows)

so the dns still doesn't work. well... any other takers?
0
 
LVL 1

Expert Comment

by:Sorin032898
ID: 1571592
Just asking. Do you enabled IP protocol (17) ?
0
 

Author Comment

by:atan111
ID: 1571593
you mean enabling UDP over IP? well, I left the part on IP port filtering as "allow all" -- i.e. only filtering the TCP and UDP ports. so the answer is "yes", I suppose.
0
 

Author Comment

by:atan111
ID: 1571594
Adjusted points to 172
0
 

Author Comment

by:atan111
ID: 1571595
Adjusted points to 200
0
 

Author Comment

by:atan111
ID: 1571596
Adjusted points to 220
0
 

Author Comment

by:atan111
ID: 1571597
Adjusted points to 235
0
 

Expert Comment

by:mccollj
ID: 1571598
Some things to check:  are your dns servers (or your nt machine) behind a firewall?  if so you will need to proxy to your dns servers.  if that doesn't work, you can always take the long way around finding the solution by enabling all ports, and disabling them one at a time until you find the problematic port.  my guess is that you should allow all ports, and disable only those that need to be disabled (e.g. 27500 and maybe 80).  hope this helps.
0
 

Author Comment

by:atan111
ID: 1571599
no, my dns servers are not behind any firewall. i know the setup works with ALL ports allowed.

the cinch is ... Win NT 4.0 only allows you to "allow all" or "allow only" rather than "disalbe only" ... which is rather irritating (yes, i have already thought of your idea myself ...) -- enabling ports one at a time seems like an impossible task (gee ... there are ... what? unlimited potential numbers of ports ... especially since I have to *REBOOT* (dang Win NT) each time I do this ... sheesh)
0
 
LVL 3

Expert Comment

by:hkp
ID: 1571600
To my knowledge, Microsoft DNS supports the following RFCs:
1033, 1034, 1035, 1101, 1123, 1183 and 1536.

There's nothing about the 1700! So perhaps, you just have to wait for a better MS solution with a later version of Windows NT.
0
 

Author Comment

by:atan111
ID: 1571601
as far as I know, DNS requires port 53 ... and this was specified before RFC 1700 (which only specifies registered port numbers, not DNS queries)

what I want to know is -- if M$ does use unspecified methods of resolving DNS queries, what are the port numbers they use? (so I can ... well ... make it work)
0
 
LVL 7

Expert Comment

by:scdavis
ID: 1571602
I'd log a $200 priority support call and let them stew over it.  It'd be worth it to see how silly that call would be.  Probbably waste a few days of your time working with MS though.
0
 
LVL 3

Expert Comment

by:hkp
ID: 1571603
I think this is a good question. Why haven't MS given these information when they actually, have made the whole thing the opposite of what it should have been? The only thing I can imagine for a good reason to do it this way is this - to be able to make a secure environment ("enable security"), you are standing better with zero ports as default. You are in control, and only you decide which ports to be open over the net. By the way, I think it would have been nice to find some help file with information about the ports which are open without the "enable security" to make a difference to this. At least, a "Default security" button on the "enable security" dialog window, would have been nice...

Good luck.
0
 
LVL 5

Expert Comment

by:snimmaga
ID: 1571604
Probably I didn't read the question and the follow-ups completely but I have one basic question.  Are you trying to make the DNS work or the Microsoft DNS Server to work?
I mean is your NT box a MS DNS Server?

0
 

Author Comment

by:atan111
ID: 1571605
no, snimmaga, the NT boxes are not DNS servers. what I'm trying to do is get the domain name resolving to work ... using my usual DNS servers (big chunky UNIX boxes, btw, which I'm not an admin of).

I've changed the ports that I've "allow"ed since then -- now it's 7,22,23,25,37,38,42,43,52-56,80,88,92,109-110,123,137-139,177,546-547,1512,2064,6000-6020 ...

but DNS resolving still doesn't work ... :(
0
 

Author Comment

by:atan111
ID: 1571606
Adjusted points to 300
0
Network it in WD Red

There's an industry-leading WD Red drive for every compatible NAS system to help fulfill your data storage needs. With drives up to 8TB, WD Red offers a wide array of solutions for customers looking to build the biggest, best-performing NAS storage solution.  

 

Author Comment

by:atan111
ID: 1571607
well, still no takers? *sigh*
0
 
LVL 1

Expert Comment

by:Sorin032898
ID: 1571608
I tried the "enable security" in NT with same results. No way with this rudimentary filtering features. I suggest to install RRAS, which is better by far for filtering and more. And RRAS is free.
Anyhow, I learned that with actual MS products there is no way for real, strong firewall. If needed, try some dedicated firewall for NT (bucks required).
0
 

Author Comment

by:atan111
ID: 1571609
RRAS? whazzat? where do you get it? (if i sound stupid, it's because of a lack of sleep)
0
 
LVL 1

Expert Comment

by:Sorin032898
ID: 1571610
RRAS (Routing and Remote Access Server) can be freely downloaded from Microsoft.
URL: http://www.microsoft.com/communications/routing&ras.htm

0
 

Author Comment

by:atan111
ID: 1571611
hmm.... sorin, RRAS seems kewl (i'm waiting for the multiple reboots for it to install properly ... geez, Linux doesn't need half this many reboots...)

but ...

it refuses to install on the Workstations! now, i wish i could give partial points out but my main problem is with the workstations... any more ideas? (how about hacks to make the workstations look like servers?... hmm)


back to testing...
0
 
LVL 1

Expert Comment

by:Sorin032898
ID: 1571612
Maybe Unixe-s don't want many reboots, but other things ...
Yes, unfortunately RRAS requires NT Server, but I suggest to use server anyway, otherwise you will be denied to install many other software (BackOffice components, etc). More than that, I recommend BackOffice or Small Bussiness BackOffice. Maybe you already know, but BackOffice is a great deal, it is cheap and it gives allmost all system software you need for a network. A similar Unix solution as BackOffice it's more expensive by far.
0
 

Author Comment

by:atan111
ID: 1571613
i can't get money to turn each and every NT 4.0 Wks into a NT 4.0 Server ... just so that I can use RRAS for IP filtering ... there *should* be a suitable way to configure the Wks for the IP filtering (that avoids the crap about "enable security")

in any case, i don't want to start an OS holy war, but for most of what BackOffice offers ...
Exchange server -- sendmail/Qmail on Linux is way cheaper (free can't be beat) and works better
proxy server -- have you heard of Squid?

and ... and ... my small network doesn't justify shelling out for possibly unnecessary expenses (my webserver runs on Apache 1.2.5 on Linux and I use sendmail 8.8.8 ... Samba on Linux actually runs as my fileserver ... i mean, yeah, i'd use NT for fileserving, but you'd gotta be crazy to run a fileserver without user quotas built into the system...)

there you go. my Linux spiel for the day (commercial Unix is mucho more expensive, i admit)
0
 
LVL 1

Expert Comment

by:Sorin032898
ID: 1571614
Happy linuxing ! I admire the enthuziasts.
Exchange is not e-mail only, it is a communication server. If you need network fax+telex+inmarsat (3rd party Exchange based, but it gives us a total communication solution) and team-work support, etc ...
What about SQL Server ? Business database it is a must.
We need also the SNA Server for the AS/400.
BOffice has also IIS, Proxy, SMS included.
And Small Business BackOffice is quite affordable, best for a small network (under 25 users).
0
 
LVL 2

Expert Comment

by:RebosMan
ID: 1571615
Are you using DHCP ?
0
 

Author Comment

by:atan111
ID: 1571616
RebosMan: nope.
0
 
LVL 2

Expert Comment

by:tbaffy
ID: 1571617
You can also try checking the "Enable DNS for Windows Resolution" item under the WINS tab in TCP/IP properties.  This tells WinNT to use DNS for Windows name resolution.  It could help because your problem could be related to the order that Windows NT uses different services to resolve host names.  Probably not, but it's worth a shot.

You can also troubleshoot this better by using the network monitor on the NT Machines.  You install it by adding the Network Monitor and Agent service to your Services tab in Network Properties.  This tool can be used to capture the packets that are sent back and forth between the machines.

Try the configuration change that I suggested and see if it helps.  If it doesn't we can take this to the next step by actually capturing a DNS name resolution with the network monitor.

Tom
0
 
LVL 1

Expert Comment

by:Sorin032898
ID: 1571618
Atan don't spend the time, there is no way with default NT "enable security". Use RRAS and NT Server.
0
 
LVL 3

Expert Comment

by:hkp
ID: 1571619
The port 53 is ok for DNS, but when you choose to disable all but port 53, you are going for troubles. Windows NT needs other ports for communication, like some of the one's you already mentioned, and some more (depending on which services you want running on your computer).

About, the security. It's not enough to keep the allowed ports to a minimum, you actually need to know which services are running on which protocols using which ports.

I don't think RRAS would do any better than a reinstallation of TCP/IP. But, by using RRAS, you can get security by using the PPTP protocol.

I think if you, started all over by uninstalling the TCP/IP, then reinstalling TCP/IP, setting the ports you want to open, by using the "enable security" button, you can add services after this. Then, I think the services will show up some indications, if there is any problems using them. The advantage you get is obviously a less complex space for troubleshooting the error.

Today, you have the opposite troubleshooting situation. I think I want to bet my money on number 17 on the roulette, rather than continuing in your trail. Change strategy.

:-)
0
 
LVL 2

Expert Comment

by:tbaffy
ID: 1571620
If you want to solve this without guessing any more, the only way to do it is to actually LOOK at what is REALLY happening instead of going around in circles.  The only way to do this is to capture the DNS name resolution process with a network monitor.  You will be able to see all of the IP and UDP packets.  You will be able to see which ports are really being used.  It will let you determine once and for all, what is going on.  All of this other garbage is just wasting time and is pure conjecture.

Tom
0
 

Author Comment

by:atan111
ID: 1571621
nice try for the points, hkp. hmm... this thread is getting stupid. i can't divide the points giving up, huh?

yeah. i'll try the network sniffing next (should have thought of it earlier... sheesh) ... i suspect WinNT tries to make outgoing ports in the range 1000-1200 (incrementally and all that kinda crap) ... based on my experience on my home Win95 machine (gotta change it to Linux someday soon ... and actually learn something from the ground up instead of trying to figure out what the MS-product is doing...)

i suspect the packet sniffing will work. will try it out tomorrow
0
 
LVL 3

Expert Comment

by:hkp
ID: 1571622
;-) Good luck, you gonna need it. huh?
0
 
LVL 1

Accepted Solution

by:
lekshmikr earned 410 total points
ID: 1571623
port numbers for well-known services as defined by
 RFC 1060 (Assigned Numbers) are as follows .Check with urs.
==============================================
service            service name aliases comment
name              /<protocol>
==============================================
systat             11/tcp
systat             11/tcp    users
daytime            13/tcp
daytime            13/udp
netstat            15/tcp
qotd               17/tcp    quote
qotd               17/udp    quote
chargen            19/tcp    ttytst source
chargen            19/udp    ttytst source
ftp-data           20/tcp
ftp                21/tcp
telnet             23/tcp
smtp               25/tcp    mail
time               37/tcp    timserver
time               37/udp    timserver
rlp                39/udp    resource      # resource location
name               42/tcp    nameserver
name               42/udp    nameserver
whois              43/tcp    nicname       # usually to sri-nic
domain             53/tcp    nameserver    # name-domain server
domain             53/udp    nameserver
nameserver         53/tcp    domain        # name-domain server
nameserver         53/udp    domain
mtp                57/tcp                  # deprecated
bootp              67/udp                  # boot program server
tftp               69/udp
rje                77/tcp    netrjs
finger             79/tcp
link               87/tcp    ttylink
supdup             95/tcp
hostnames         101/tcp    hostname      # usually from sri-nic
iso-tsap          102/tcp
dictionary        103/tcp    webster
x400              103/tcp                  # ISO Mail
x400-snd          104/tcp
csnet-ns          105/tcp
pop               109/tcp    postoffice
pop2              109/tcp                  # Post Office
pop3              110/tcp    postoffice
portmap           111/tcp
portmap           111/udp
sunrpc            111/tcp
sunrpc            111/udp
auth              113/tcp    authentication
sftp              115/tcp
path              117/tcp
uucp-path         117/tcp
nntp              119/tcp    usenet        # Network News Transfer
ntp               123/udp    ntpd ntp      # network time protocol (exp)
nbname            137/udp
nbdatagram        138/udp
nbsession         139/tcp
NeWS              144/tcp    news
sgmp              153/udp    sgmp
tcprepo           158/tcp    repository    # PCMAIL
snmp              161/udp    snmp
snmp-trap         162/udp    snmp
print-srv         170/tcp                  # network PostScript
vmnet             175/tcp
load              315/udp
vmnet0            400/tcp
sytek             500/udp
biff              512/udp    comsat
exec              512/tcp
login             513/tcp
who               513/udp    whod
shell             514/tcp    cmd           # no passwords used
syslog            514/udp
printer           515/tcp    spooler       # line printer spooler
talk              517/udp
ntalk             518/udp
efs               520/tcp                  # for LucasFilm
route             520/udp    router routed
timed             525/udp    timeserver
tempo             526/tcp    newdate
courier           530/tcp    rpc
conference        531/tcp    chat
rvd-control       531/udp    MIT disk
netnews           532/tcp    readnews
netwall           533/udp                  # -for emergency broadcasts
uucp              540/tcp    uucpd         # uucp daemon
klogin            543/tcp                  # Kerberos authenticated rlogin
kshell            544/tcp    cmd           # and remote shell
new-rwho          550/udp    new-who       # experimental
remotefs          556/tcp    rfs_server rfs# Brunhoff remote filesystem
rmonitor          560/udp    rmonitord     # experimental
monitor           561/udp                  # experimental
garcon            600/tcp
maitrd            601/tcp
busboy            602/tcp
acctmaster        700/udp
acctslave         701/udp
acct              702/udp
acctlogin         703/udp
acctprinter       704/udp
elcsd             704/udp                  # errlog
acctinfo          705/udp
acctslave2        706/udp
acctdisk          707/udp
kerberos          750/tcp    kdc           # Kerberos authentication--tcp
kerberos          750/udp    kdc           # Kerberos authentication--udp
kerberos_master   751/tcp                  # Kerberos authentication
kerberos_master   751/udp                  # Kerberos authentication
passwd_server     752/udp                  # Kerberos passwd server
userreg_server    753/udp                  # Kerberos userreg server
krb_prop          754/tcp                  # Kerberos slave propagation
erlogin           888/tcp                  # Login and environment passing
kpop             1109/tcp                  # Pop with Kerberos
phone            1167/udp
ingreslock       1524/tcp
maze             1666/udp
nfs              2049/udp                  # sun nfs
knetd            2053/tcp                  # Kerberos de-multiplexor
eklogin          2105/tcp                  # Kerberos encrypted rlogin
rmt              5555/tcp    rmtd
mtb              5556/tcp    mtbd          # mtb backup
man              9535/tcp                  # remote man server
w                9536/tcp
mantst           9537/tcp                  # remote man server, testing
bnews           10000/tcp
rscs0           10000/udp
queue           10001/tcp
rscs1           10001/udp
poker           10002/tcp
rscs2           10002/udp
gateway         10003/tcp
rscs3           10003/udp
remp            10004/tcp
rscs4           10004/udp
rscs5           10005/udp
rscs6           10006/udp
rscs7           10007/udp
rscs8           10008/udp
rscs9           10009/udp
rscsa           10010/udp
rscsb           10011/udp
qmaster         10012/tcp
qmaster         10012/udp

0
 
LVL 5

Expert Comment

by:daJman
ID: 5815816
WHAT WHAT THE FINAL ANSWER???????? All those?


-Jason
with the same prob btw
0
 
LVL 3

Expert Comment

by:hkp
ID: 5830580
You see, no answer to the question. At least, I tried to answer the best I could.

:-))
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Nslookup is a command line driven utility supplied as part of most Windows operating systems that can reveal information related to domain names and the Internet Protocol (IP) addresses associated with them. In simple terms, it is a tool that can …
Greetings, Experts! First let me state that this website is top notch. I thoroughly enjoy the community that is shared here; those seeking help and those willing to sacrifice their time to help. It is fantastic. I am writing this article at th…
This video discusses moving either the default database or any database to a new volume.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now