Jump to content
Forum²

Recommended Posts

Posted

hi, my first quesion.

 

I have a DMZ to a server running 2008 Enterprise. When i add an exception in windows firewall for the Public profile (i also add it to all profiles) but the port doesnt open when doing a portscan externally.

 

Secondly...

 

Any idea if there is/what is the Group Policy to disable saving ALL passwords (VPN, Network Drives, RDP etc etc)

 

Thanks!!

Posted

Mhhh but do you have at least the entry in your firewall? I mean, when you click apply, does the rule is registered?

 

re you sure you don't have another firewall?

 

Which port are you trying to open? Which port is already opened?

 

 

 

There's only one policy which doesn't permit (to the user) to save password for .NET Passport account. This means you can still save VPNs password and so on if they're not Windows things.

--------------------------------------------------------

Tu peux aussi crire en franais.

Du kannst auch auf Deutsch schreiben.

Puoi scrivere anche in italiano.

--------------------------------------------------------

Posted

Yes the rule created was named "Test" and opened TCP port 1000

 

The rule is then shown as "Active" and is a Public rule

 

I no other firewall running. I have a NAT at the router, however this does not apply now that i am using a DMZ

 

I have 80, 1723, 25, 110, 143, 21, 3389 and a few others, which are open in the firewall. Im just not able to get 1000 open, maybe i need to go higher like 4000?

 

 

Thanks for policy reply, that doesnt really matter!

 

One more thing, how can i block port scanning requests? do i need to block by IP range, and is this possible in Windows Firewall?

 

Thanks!

Posted

Well the first 1024 ports are WELL-know, then there're the REGISTERED port (until 49151) so you should use a port in this range: 4915265535

 

Blocking port scanning is not possible, by default the port is blocked, but you can still be able to scan it...

--------------------------------------------------------

Tu peux aussi crire en franais.

Du kannst auch auf Deutsch schreiben.

Puoi scrivere anche in italiano.

--------------------------------------------------------

Posted

Ok yes, but i should still be able to open these ports right?

 

I will try 50000 now....

 

The reason i ask about blocking port scans is,

 

i just tried a scan on a local hosting company domain and it timed out...

 

as where i can scan my domain...

 

Thanks again!

 

UPDADTE: 50000 still wont open. Restarted and all??

Posted

Are you sure is not opened? I mean... there's no reason for Win FW to don't open a port ;) maybe the executable of the program is blocked... can you provide more details about what are you opening?

 

Well, many FWs have this possibility, you can "block" a scan from outside, it's like a traceroute, there're firewalls that blocks packets and stop. The same thing happens on port scanning. When you are trying to find an open port (because of you're an attacker or you're testing your OWN security) you can use many programs that have also the settings to wait for the next probe. In other words, if your firwall see that the IP 8.8.8.8 is checking (connection try) on port 443 it can't (it couldn't) block this IP, but if this client in 1-2 seconds try the same thing on different port... well this is a scan ;)

 

There're other ways to scan (only with SYN, complete ACK, Christmas Tree, ...) and all of these technics are different and more or less complex. The built in FW in windows doesn't have so many settings to block specific ip on port scan. You should check other products (most of them are appliance...) but trust me, you don't really need this. Where I work right now, something I must go to clients to check network and security. Almost everyone receive a port scan but this is "normal", I mean, you must check if you are under attack, but a port scan could be only a bot which is trying to infect your pc via an open port...

--------------------------------------------------------

Tu peux aussi crire en franais.

Du kannst auch auf Deutsch schreiben.

Puoi scrivere anche in italiano.

--------------------------------------------------------

Posted

Im positive it not openning..

 

I have just open PORT 50000, public, domain and private.

 

I check it here, ping.eu - port checker

 

megahosting.co.nz port 50000

 

Thanks man!

Posted
And which program should work on that port? You would be able to reach it in this way= http://megahosting.co.nz:50000/ ?

--------------------------------------------------------

Tu peux aussi crire en franais.

Du kannst auch auf Deutsch schreiben.

Puoi scrivere anche in italiano.

--------------------------------------------------------

Posted

No program as such, im just trying to OPEN the port

 

Does it require something to be listenning on that port before it will open??

 

I have simply created a entry in windows firewall for inbound rules, public, profile and domain. And chosen option "Port"

 

Entered the port and chosen the protocol TCP.

 

Then check to see if the ports open....

 

Thanks

Posted

Well no... but how can you check if the port is opened if there's nothing behind it?

 

I can disable the firewall in my network, but if I don't have any WEBSERVER (example) if I write http://myhostname.whatever on my browser I simply have nothing!

 

The port is opened but there's not a service running behind it...

--------------------------------------------------------

Tu peux aussi crire en franais.

Du kannst auch auf Deutsch schreiben.

Puoi scrivere anche in italiano.

--------------------------------------------------------

Posted

Again im stuck with this problem of the ports not openning

 

I disabled the firewall on my DMZ to see if that works again

 

Im trying to open 995, 585 and 485 which has services listenning.

 

Again the ports dont open???

 

Any other ideas? Im correct when saying windows firewall controls whats ports are open/closed in a server 2008 DMZ correct??

 

Thanks

Posted

 

Any other ideas? Im correct when saying windows firewall controls whats ports are open/closed in a server 2008 DMZ correct??

 

 

I don't know... depends on WHICH level do you create your DMZ. Most of the router have the DMZ functionality so Windows doesn't know anything about the DMZ.

 

At this point I think the problem is with routing and redirection on your router because if you disable the firewall in your DMZ (assasin!) and nothing works... the problem is not your firewall.

--------------------------------------------------------

Tu peux aussi crire en franais.

Du kannst auch auf Deutsch schreiben.

Puoi scrivere anche in italiano.

--------------------------------------------------------

Posted
the problem with that router... it doesn't provide a serious debug / log like many "home" router :/

--------------------------------------------------------

Tu peux aussi crire en franais.

Du kannst auch auf Deutsch schreiben.

Puoi scrivere anche in italiano.

--------------------------------------------------------

Posted

yea ive just restored to default settings, and no luck

 

so i updated firmware and i am again able to add forward in NAT....

 

HOWEVER, i cannot add the forward for port 21 FTP, no matter what i name it, i get the error

 

Add virtual server named FTP failed. Check for duplicate virtual server rules.

 

WEIRD!!!

Posted
stupid router... contact the assitance... I have no idea.

--------------------------------------------------------

Tu peux aussi crire en franais.

Du kannst auch auf Deutsch schreiben.

Puoi scrivere anche in italiano.

--------------------------------------------------------

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...