Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Simple Firewall: Summary

From: "Alexander Suhovey" <asuhovey () mtu-net ru>
Date: Sat, 8 Jan 2005 22:09:00 +0300
Regarding IPSec filters - don't know why you desided that there's no deny
capability. You can create a filter to block certain types of traffic
to/from sertain set of IP address, subnet or DNS name. 
Here's a couple of links on topic. First is good example of GUI-based
configuration of IPSec filters while second talks command line.

How can I block a Windows 2000/XP/2003 computer from surfing on the Internet
but still allow it to surf to Intranet sites?
http://www.petri.co.il/block_internet_but_allow_intranet_with_ipsec.htm

How to block specific network protocols and ports by using IPSec:
http://support.microsoft.com/default.aspx?scid=kb;en-us;813878

Hth,
Al
  


-----Original Message-----
From: G Farnham [mailto:gfarnham () gmail com] 
Sent: Thursday, December 30, 2004 1:27 AM
To: security-basics () securityfocus com
Subject: Simple Firewall: Summary

Thanks for all the responses.  Summary below.
Followup question:
Are there any good tools for testing firewall performance.
Specifically in terms of latency added by firewall.


Summary:

1) This looks like best solution for me
Try PktFilter

http://www.hsc.fr/ressources/outils/pktfilter/

2) This one looks viable also
ou may be able to use peerguardian... A firewall of sorts for 
peer-2-peer apps that uses a deny list to prevent the 
FBI/RIAA/MPAA etc.
from snooping your shared files.  You should be able to pick 
that up at http://www.methlabs.org/methlabs.htm

3) recommendations for commercial firewalls would probably 
work, some recommended ones are:
Kerio
tiny firewall
sygate

4) Win Remote access service RRAS
I think this would work, but more overhead than I want

4) Use windows IP filtering, Win2003 SP1 (like XP SP2 
firewall), IPSec white list I don't think any of these meet my needs.
I need a deny capability.  Permit or White list will not help 
me as the service (game server) needs to be open to the public.
As far as I know, built in IP filtering is "permit only" not 
deny capability.
XP SP2 firewall has no way to define a deny list for source IP.
[If I have any of this wrong, feel free to correct me, but 
please provide details on how to do it or where to see it]

GDF
Previous By Date Next
Previous By Thread Next

Current thread: