atan111
asked on
IP security -- filtering TCP/UDP ports
I'm the admin of a small NT network. There's these machines that I need to block access to certain ports to (including quake 27500 and maybe www 80).
So what I did was --- in the TCP/IP protocol tab, under "advanced", I clicked on "enable security" and configured it to allow certain port numbers (which I deemed necessary).
Now, the problem is ... I need DNS to work. It worked before I started mucking with the TCP security. Anyway, as according to RFC 1700, I included port 53 in the list of "allow"ed ports in both TCP and UDP. After rebooting, the stupid system refuses to resolve domain names properly.
Some other pointers that might help in the diagnosis are: I did enable port 23 and port 7 ... so telnet (from the test machine to my Linux box) and ping (both to and from the test machine) do work. my dns servers are big unix monsters 'upstream' from my domain. and dns works again if i disable the security and reboot.
Can you tell me why DNS won't work on NT with TCP security enabled but with TCP/UDP port 53 "allowed"? Has MS implemented some funky way of resolving domain names that circumvents the open standard? Most importantly, *how* do I go about getting this to WORK?
So what I did was --- in the TCP/IP protocol tab, under "advanced", I clicked on "enable security" and configured it to allow certain port numbers (which I deemed necessary).
Now, the problem is ... I need DNS to work. It worked before I started mucking with the TCP security. Anyway, as according to RFC 1700, I included port 53 in the list of "allow"ed ports in both TCP and UDP. After rebooting, the stupid system refuses to resolve domain names properly.
Some other pointers that might help in the diagnosis are: I did enable port 23 and port 7 ... so telnet (from the test machine to my Linux box) and ping (both to and from the test machine) do work. my dns servers are big unix monsters 'upstream' from my domain. and dns works again if i disable the security and reboot.
Can you tell me why DNS won't work on NT with TCP security enabled but with TCP/UDP port 53 "allowed"? Has MS implemented some funky way of resolving domain names that circumvents the open standard? Most importantly, *how* do I go about getting this to WORK?
If I'm not mistaken, you need to enable traffic on ports 42, 43, and 53 to get DNS server to work.
ASKER
actually, the entire list of ports i've already enabled traffic on so far are:
1,2,3,7,22,23,37,38,39,42,
so the dns still doesn't work. well... any other takers?
1,2,3,7,22,23,37,38,39,42,
so the dns still doesn't work. well... any other takers?
Just asking. Do you enabled IP protocol (17) ?
ASKER
you mean enabling UDP over IP? well, I left the part on IP port filtering as "allow all" -- i.e. only filtering the TCP and UDP ports. so the answer is "yes", I suppose.
ASKER
Adjusted points to 172
ASKER
Adjusted points to 200
ASKER
Adjusted points to 220
ASKER
Adjusted points to 235
Some things to check: are your dns servers (or your nt machine) behind a firewall? if so you will need to proxy to your dns servers. if that doesn't work, you can always take the long way around finding the solution by enabling all ports, and disabling them one at a time until you find the problematic port. my guess is that you should allow all ports, and disable only those that need to be disabled (e.g. 27500 and maybe 80). hope this helps.
ASKER
no, my dns servers are not behind any firewall. i know the setup works with ALL ports allowed.
the cinch is ... Win NT 4.0 only allows you to "allow all" or "allow only" rather than "disalbe only" ... which is rather irritating (yes, i have already thought of your idea myself ...) -- enabling ports one at a time seems like an impossible task (gee ... there are ... what? unlimited potential numbers of ports ... especially since I have to *REBOOT* (dang Win NT) each time I do this ... sheesh)
the cinch is ... Win NT 4.0 only allows you to "allow all" or "allow only" rather than "disalbe only" ... which is rather irritating (yes, i have already thought of your idea myself ...) -- enabling ports one at a time seems like an impossible task (gee ... there are ... what? unlimited potential numbers of ports ... especially since I have to *REBOOT* (dang Win NT) each time I do this ... sheesh)
To my knowledge, Microsoft DNS supports the following RFCs:
1033, 1034, 1035, 1101, 1123, 1183 and 1536.
There's nothing about the 1700! So perhaps, you just have to wait for a better MS solution with a later version of Windows NT.
1033, 1034, 1035, 1101, 1123, 1183 and 1536.
There's nothing about the 1700! So perhaps, you just have to wait for a better MS solution with a later version of Windows NT.
ASKER
as far as I know, DNS requires port 53 ... and this was specified before RFC 1700 (which only specifies registered port numbers, not DNS queries)
what I want to know is -- if M$ does use unspecified methods of resolving DNS queries, what are the port numbers they use? (so I can ... well ... make it work)
what I want to know is -- if M$ does use unspecified methods of resolving DNS queries, what are the port numbers they use? (so I can ... well ... make it work)
I'd log a $200 priority support call and let them stew over it. It'd be worth it to see how silly that call would be. Probbably waste a few days of your time working with MS though.
I think this is a good question. Why haven't MS given these information when they actually, have made the whole thing the opposite of what it should have been? The only thing I can imagine for a good reason to do it this way is this - to be able to make a secure environment ("enable security"), you are standing better with zero ports as default. You are in control, and only you decide which ports to be open over the net. By the way, I think it would have been nice to find some help file with information about the ports which are open without the "enable security" to make a difference to this. At least, a "Default security" button on the "enable security" dialog window, would have been nice...
Good luck.
Good luck.
Probably I didn't read the question and the follow-ups completely but I have one basic question. Are you trying to make the DNS work or the Microsoft DNS Server to work?
I mean is your NT box a MS DNS Server?
I mean is your NT box a MS DNS Server?
ASKER
no, snimmaga, the NT boxes are not DNS servers. what I'm trying to do is get the domain name resolving to work ... using my usual DNS servers (big chunky UNIX boxes, btw, which I'm not an admin of).
I've changed the ports that I've "allow"ed since then -- now it's 7,22,23,25,37,38,42,43,52-
but DNS resolving still doesn't work ... :(
I've changed the ports that I've "allow"ed since then -- now it's 7,22,23,25,37,38,42,43,52-
but DNS resolving still doesn't work ... :(
ASKER
Adjusted points to 300
ASKER
well, still no takers? *sigh*
I tried the "enable security" in NT with same results. No way with this rudimentary filtering features. I suggest to install RRAS, which is better by far for filtering and more. And RRAS is free.
Anyhow, I learned that with actual MS products there is no way for real, strong firewall. If needed, try some dedicated firewall for NT (bucks required).
Anyhow, I learned that with actual MS products there is no way for real, strong firewall. If needed, try some dedicated firewall for NT (bucks required).
ASKER
RRAS? whazzat? where do you get it? (if i sound stupid, it's because of a lack of sleep)
RRAS (Routing and Remote Access Server) can be freely downloaded from Microsoft.
URL: http://www.microsoft.com/communications/routing&ras.htm
URL: http://www.microsoft.com/communications/routing&ras.htm
ASKER
hmm.... sorin, RRAS seems kewl (i'm waiting for the multiple reboots for it to install properly ... geez, Linux doesn't need half this many reboots...)
but ...
it refuses to install on the Workstations! now, i wish i could give partial points out but my main problem is with the workstations... any more ideas? (how about hacks to make the workstations look like servers?... hmm)
back to testing...
but ...
it refuses to install on the Workstations! now, i wish i could give partial points out but my main problem is with the workstations... any more ideas? (how about hacks to make the workstations look like servers?... hmm)
back to testing...
Maybe Unixe-s don't want many reboots, but other things ...
Yes, unfortunately RRAS requires NT Server, but I suggest to use server anyway, otherwise you will be denied to install many other software (BackOffice components, etc). More than that, I recommend BackOffice or Small Bussiness BackOffice. Maybe you already know, but BackOffice is a great deal, it is cheap and it gives allmost all system software you need for a network. A similar Unix solution as BackOffice it's more expensive by far.
Yes, unfortunately RRAS requires NT Server, but I suggest to use server anyway, otherwise you will be denied to install many other software (BackOffice components, etc). More than that, I recommend BackOffice or Small Bussiness BackOffice. Maybe you already know, but BackOffice is a great deal, it is cheap and it gives allmost all system software you need for a network. A similar Unix solution as BackOffice it's more expensive by far.
ASKER
i can't get money to turn each and every NT 4.0 Wks into a NT 4.0 Server ... just so that I can use RRAS for IP filtering ... there *should* be a suitable way to configure the Wks for the IP filtering (that avoids the crap about "enable security")
in any case, i don't want to start an OS holy war, but for most of what BackOffice offers ...
Exchange server -- sendmail/Qmail on Linux is way cheaper (free can't be beat) and works better
proxy server -- have you heard of Squid?
and ... and ... my small network doesn't justify shelling out for possibly unnecessary expenses (my webserver runs on Apache 1.2.5 on Linux and I use sendmail 8.8.8 ... Samba on Linux actually runs as my fileserver ... i mean, yeah, i'd use NT for fileserving, but you'd gotta be crazy to run a fileserver without user quotas built into the system...)
there you go. my Linux spiel for the day (commercial Unix is mucho more expensive, i admit)
in any case, i don't want to start an OS holy war, but for most of what BackOffice offers ...
Exchange server -- sendmail/Qmail on Linux is way cheaper (free can't be beat) and works better
proxy server -- have you heard of Squid?
and ... and ... my small network doesn't justify shelling out for possibly unnecessary expenses (my webserver runs on Apache 1.2.5 on Linux and I use sendmail 8.8.8 ... Samba on Linux actually runs as my fileserver ... i mean, yeah, i'd use NT for fileserving, but you'd gotta be crazy to run a fileserver without user quotas built into the system...)
there you go. my Linux spiel for the day (commercial Unix is mucho more expensive, i admit)
Happy linuxing ! I admire the enthuziasts.
Exchange is not e-mail only, it is a communication server. If you need network fax+telex+inmarsat (3rd party Exchange based, but it gives us a total communication solution) and team-work support, etc ...
What about SQL Server ? Business database it is a must.
We need also the SNA Server for the AS/400.
BOffice has also IIS, Proxy, SMS included.
And Small Business BackOffice is quite affordable, best for a small network (under 25 users).
Exchange is not e-mail only, it is a communication server. If you need network fax+telex+inmarsat (3rd party Exchange based, but it gives us a total communication solution) and team-work support, etc ...
What about SQL Server ? Business database it is a must.
We need also the SNA Server for the AS/400.
BOffice has also IIS, Proxy, SMS included.
And Small Business BackOffice is quite affordable, best for a small network (under 25 users).
Are you using DHCP ?
ASKER
RebosMan: nope.
You can also try checking the "Enable DNS for Windows Resolution" item under the WINS tab in TCP/IP properties. This tells WinNT to use DNS for Windows name resolution. It could help because your problem could be related to the order that Windows NT uses different services to resolve host names. Probably not, but it's worth a shot.
You can also troubleshoot this better by using the network monitor on the NT Machines. You install it by adding the Network Monitor and Agent service to your Services tab in Network Properties. This tool can be used to capture the packets that are sent back and forth between the machines.
Try the configuration change that I suggested and see if it helps. If it doesn't we can take this to the next step by actually capturing a DNS name resolution with the network monitor.
Tom
You can also troubleshoot this better by using the network monitor on the NT Machines. You install it by adding the Network Monitor and Agent service to your Services tab in Network Properties. This tool can be used to capture the packets that are sent back and forth between the machines.
Try the configuration change that I suggested and see if it helps. If it doesn't we can take this to the next step by actually capturing a DNS name resolution with the network monitor.
Tom
Atan don't spend the time, there is no way with default NT "enable security". Use RRAS and NT Server.
The port 53 is ok for DNS, but when you choose to disable all but port 53, you are going for troubles. Windows NT needs other ports for communication, like some of the one's you already mentioned, and some more (depending on which services you want running on your computer).
About, the security. It's not enough to keep the allowed ports to a minimum, you actually need to know which services are running on which protocols using which ports.
I don't think RRAS would do any better than a reinstallation of TCP/IP. But, by using RRAS, you can get security by using the PPTP protocol.
I think if you, started all over by uninstalling the TCP/IP, then reinstalling TCP/IP, setting the ports you want to open, by using the "enable security" button, you can add services after this. Then, I think the services will show up some indications, if there is any problems using them. The advantage you get is obviously a less complex space for troubleshooting the error.
Today, you have the opposite troubleshooting situation. I think I want to bet my money on number 17 on the roulette, rather than continuing in your trail. Change strategy.
:-)
About, the security. It's not enough to keep the allowed ports to a minimum, you actually need to know which services are running on which protocols using which ports.
I don't think RRAS would do any better than a reinstallation of TCP/IP. But, by using RRAS, you can get security by using the PPTP protocol.
I think if you, started all over by uninstalling the TCP/IP, then reinstalling TCP/IP, setting the ports you want to open, by using the "enable security" button, you can add services after this. Then, I think the services will show up some indications, if there is any problems using them. The advantage you get is obviously a less complex space for troubleshooting the error.
Today, you have the opposite troubleshooting situation. I think I want to bet my money on number 17 on the roulette, rather than continuing in your trail. Change strategy.
:-)
If you want to solve this without guessing any more, the only way to do it is to actually LOOK at what is REALLY happening instead of going around in circles. The only way to do this is to capture the DNS name resolution process with a network monitor. You will be able to see all of the IP and UDP packets. You will be able to see which ports are really being used. It will let you determine once and for all, what is going on. All of this other garbage is just wasting time and is pure conjecture.
Tom
Tom
ASKER
nice try for the points, hkp. hmm... this thread is getting stupid. i can't divide the points giving up, huh?
yeah. i'll try the network sniffing next (should have thought of it earlier... sheesh) ... i suspect WinNT tries to make outgoing ports in the range 1000-1200 (incrementally and all that kinda crap) ... based on my experience on my home Win95 machine (gotta change it to Linux someday soon ... and actually learn something from the ground up instead of trying to figure out what the MS-product is doing...)
i suspect the packet sniffing will work. will try it out tomorrow
yeah. i'll try the network sniffing next (should have thought of it earlier... sheesh) ... i suspect WinNT tries to make outgoing ports in the range 1000-1200 (incrementally and all that kinda crap) ... based on my experience on my home Win95 machine (gotta change it to Linux someday soon ... and actually learn something from the ground up instead of trying to figure out what the MS-product is doing...)
i suspect the packet sniffing will work. will try it out tomorrow
;-) Good luck, you gonna need it. huh?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
WHAT WHAT THE FINAL ANSWER???????? All those?
-Jason
with the same prob btw
-Jason
with the same prob btw
You see, no answer to the question. At least, I tried to answer the best I could.
:-))
:-))
ASKER