asked on

How to get thru Firewall with Outlook Web Access.

Portable computers can use OWA until I turn on the firewall. They then get IE6 error message "the page cannot be displayed".

Can someone give me some pointers on the best way to get through the firewall? I've read q280132, but it leaves me cold (WAY to many ports). I've also researched about a dozen EE questions, but most of them are for more complicated environments and/or involved a lot of jargon that I don't understand.

RBERKE

Windows 2000 small business server (Exchange 5.5) and IE6 clients.

The firewall is a speedstream 5861 DSL router.

I'm not using SSL, but I plan on switching to it soon and will do it now if it helps resolve the problem.

The 5861 system log shows the following errors every time someone tries to get through.

12/05/2003-13:28:28:IP-FILTER: I:PROTO 6 (TCP) pkt       from 67.39.222.214/43837
12/05/2003-13:28:28:IP-FILTER:       to 67.39.222.209/80 dropped, SYN Flag
12/05/2003-13:28:31:IP-FILTER: I:PROTO 6 (TCP) pkt       from 67.39.222.214/43837
12/05/2003-13:28:31:IP-FILTER:       to 67.39.222.209/80 dropped, SYN Flag
12/05/2003-13:28:37:IP-FILTER: I:PROTO 6 (TCP) pkt       from 67.39.222.214/43837
12/05/2003-13:28:37:IP-FILTER:       to 67.39.222.209/80 dropped, SYN Flag

The firewall script has the following filters (I'm only showing those relating to 80 and 443)
remote ipfilter append input accept -p tcp -sp 80 internet
remote ipfilter append output accept -p tcp -dp 80 internet
remote ipfilter append input accept -p tcp -sp 443 internet
remote ipfilter append output accept -p tcp -dp 443 internet
remote ipfilter append input drop internet
remote ipfilter append output drop internet
save

Router port mapping
Protocol| First Port#| Last Port#| IP Address | Port#|
TCP | 80 | 80 | 192.168.254.251 | 80

Other router settings

GENERAL INFORMATION FOR <>
System started on.................... 12/4/2003 at 10:12
Authentication override.............. none
Server(s) (IP Translation) .......... 192.168.254.251 proto-TCP port-HTTP
Mapping(s) (IP Translation) ......... 192.168.254.251 to 192.168.254.251 mapped on
67.39.222.209 to 67.39.222.209 (1 entries)
WAN to WAN Forwarding................ yes
Block NetBIOS Default................ no
BOOTP/DHCP Server address............ none
Telnet Port.......................... default (23)
Telnet Clients....................... all
SNMP Port............................ default (161)
SNMP Clients......................... LAN
LAN
HTTP Port............................ default (80)
HTTP Clients......................... all
Syslog Port.......................... default (514)
Allowed Syslog Servers............... LAN
LAN
Default Syslog Servers............... none
System message:

JasonBigham

How about:

remote ipfilter insert input accept -p tcp -sp 80 internet
remote ipfilter insert output accept -p tcp -dp 80 internet
remote ipfilter insert input accept -p tcp -sp 443 internet
remote ipfilter insert output accept -p tcp -dp 443 internet
remote ipfilter insert input drop internet
remote ipfilter insert output drop internet

Robert Berke

ASKER

No, insert just puts the filter at the top of the list while append puts it at the bottom. I didn't show it, but the script starts out with a flush command so your script is equivalent to mine.

JasonBigham

Yes, sorry... not a router guru. How about:

# Should only allow HTTP/SSL to server 67.39.222.209 from the internet
remote ipfilter insert input accept -p tcp -dp 80 -da 67.39.222.209 -dm 255.255.255.255 internet
remote ipfilter insert input accept -p tcp -dp 443 -da 67.39.222.209 -dm 255.255.255.255 internet

#Generic allowance of incoming HTTP/SSL to your network from the internet
remote ipfilter insert input accept -p tcp -dp 80 internet
remote ipfilter insert input accept -p tcp -dp 443 internet

#drop everything else
remote ipfilter insert input drop -p tcp -p udp internet

JasonBigham

I think your usage of -sp and -dp were backwards... "think"

JasonBigham

I might be backwards though

Robert Berke

ASKER

I am also not a router guru, but the script was provided by the router manufacturer when SBC installed the router a year ago. It is the standard "medium security" firewall for everyone that bought an efficient 5861 that month. There were no modifications made for exchange/web access etc. -sp means sending port, and -dp means destination port. But, I get confused also, which is why I hope to find an expert.

I'm in the middle of a muddle right now, so I won't be able to do you suggestions till next week.

In the meantime, I encourage other experts to respond if they think they know what to do.

If two people respond, I'll bump the points to 500 and give 250 each.

ASKER CERTIFIED SOLUTION

JasonBigham

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

Robert Berke

ASKER

Yep, that works. In fact, I only used the single line from your 3:26pm post, none of the others.

But, serveral things still confuse me.

Q1. The manufacturer's script has about 20 lines that all follow this format:

remote ipfilter insert input accept -p tcp -sp 80 internet
remote ipfilter insert output accept -p tcp -dp 80 internet

the input accept's all mention source port
the output accept's all mention destination port

but your command goes the opposite way, the input references the destination port
remote ipfilter insert input accept -p tcp -dp 80 -da 67.39.222.209 -dm 255.255.255.255 internet

Q 2. the manufacturer's script ends with

remote ipfilter append input drop internet

Your suggestion (which I have not yet taken) terminates
remote ipfilter insert input drop -p tcp -p udp internet

What’s the difference?

Q3. The manufacturer’s script always has pairs, one for tcp and one for udp.

remote ipfilter append input accept -p tcp -sp 80 internet
remote ipfilter append input accept -p udp -sp 80 internet

Is the following equivalent?
remote ipfilter append input accept -p tcp –p udp -sp 80 internet

JasonBigham

Q1.

If I understand correctly, the first one is allowing internet traffic in, form the internet, via port 80. The second one is the opposite... allowing internet traffic out, to the internet, via port 80

Q2.

remote ipfilter append input drop internet

If I understand correctly, this says to drop all traffic. So, if you don't have any entries above it, no traffic whatsoever will be allowed.

Q3.

I think they are assuming that if something is coming in, it probably goes out as well on the same port. Not sure though, depends if my assumptions on Q1 are correct. Don't add any more than you need to get this working though. If only my one line meets all your needs, then that is the most secure.

I think this is the opposite, and would be saying to allow your LAN traffic access past the router (to the internet in your scenario) to udp/tcp ports 80. Not sure if you need the udp entry though.

remote ipfilter append input accept -p tcp –p udp -sp 80 internet

Robert Berke

ASKER

So I'm getting closer to understanding. One last question.

Q4 I'm not exactly sure how firewalls use masks, but I think that -dm 255.255.255.255 is the default mask. It doesn't seem to matter if I include it or exclude it, they both work.

Right now, my script has the following statement at the end
remote ipfilter insert input accept -p tcp -dp 80 -da

If you think the -dm 255.255.255.255 is important, let me know. 67.39.222.209 internet.

In the meantime, I'm closing the question and awarding points. Thanks for your help.

JasonBigham

I bet the default behavior is to be broadcast (255.255.255.255) thus it works with or without. If you narrowed it down, then you would be narrowing down the number of hosts that could get in. This could be handy if you knew all the IP's of your OWA users, but probably a bit unnecessary when SSL, VPN, etc is available. Again, not sure though... not a router guy.

Robert Berke

ASKER

> not a router guy
A partial expert is better than no expert

Thanks again