Microsoft KB Archive/254018

= How to Configure Input Filters for Services That Run Behind Network Address Translation =

Article ID: 254018

Article Last Modified on 2/28/2007

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Professional Edition

-



This article was previously published under Q254018





SUMMARY
This article provides filter setup information which may be used to remove unwanted traffic for a network card exposed to the Internet on a Windows 2000-based computer.



MORE INFORMATION
Windows contains Network Address Translation (NAT) which can be used to enable individuals and businesses to connect their Local Area Networks (LANs) to the Internet through a single Internet connection and Internet Protocol (IP) address. With NAT you can use unregistered IP addresses for the internal LAN, but if you use NAT alone, it does not prevent a determined hacker from disrupting the flow of traffic from the Windows-based computer.

Windows Routing and Remote Access Service (RRAS) provides filters which can be used to configure a server to control data that is sent and received, but this product is not marketed as a firewall. Microsoft in no way implies or guarantees that the sole use of this product can prevent determined individuals from gaining access to a network and using it in an inappropriate manner.

IMPORTANT: For sites that need a high level of security, a true firewall product should be purchased and configured to protect the network.

The input filters are set up through the RRAS console. In the RRAS console, click General under IP Routing. In the right window, double-click the external card and click Input Filters. In the Filter window, there are two options. You should select one:


 * Receive all packets except those that meet the criteria below
 * Drop all packets except those that meet the criteria below

NOTE: The subnet mask for all of these filters is set to 0.0.0.0.

Point-to-Point Tunneling Protocol (PPTP) Settings
Use the following configuration if you have clients on the internal LAN that plan to connect to a PPTP server that resides on the Internet:

Source 0.0.0.0 to Protocol TCP Source Port 1723

Source 0.0.0.0 to Protocol Other Protocol Number 47

CAUTION: Never establish a PPTP connection to a corporate network from a router that runs NAT or you may open potential security holes in the corporate network.

Domain Name System (DNS) Settings
Use the following configuration if the server and internal clients require DNS resolution to an external DNS server located on the Internet:

Source 0.0.0.0 to Protocol TCP Source Port 53

Source 0.0.0.0 to Protocol UDP Source Port 53

NOTE: If you run your own Internet DNS server, use the following configuration:

Source 0.0.0.0 to Protocol TCP Destination Port 53

Source 0.0.0.0 to Protocol UDP Destination Port 53

Client External Web Access
Use the following configuration if you want to enable internal clients to connect to Web sites on the Internet:

Source 0.0.0.0 to Protocol TCP Source Port 80

Web Access
Use the following configuration if you are running a Web server on the NAT computer and want it to be accessible to Internet users:

Source 0.0.0.0 to Protocol TCP Destination Port 80

Client External File Transfer Protocol (FTP) Access
Use the following configuration if you want to enable internal clients to connect to FTP servers on the Internet:

Source 0.0.0.0 Protocol TCP Source Port 21

Source 0.0.0.0 Protocol TCP Source Port 20

FTP Server Access
Use the following configuration if you run a FTP server on the NAT computer and want it to be accessible to Internet users:

Source 0.0.0.0 Protocol TCP Destination Port 21

Source 0.0.0.0 Protocol TCP Destination Port 20

POP 3
Open the following port if you run an Internet Mail server and you want to give mail clients POP 3 access:

Source 0.0.0.0 Protocol TCP Destination Port 110

Simple Mail Transfer Protocol (SMTP)
Open the following port if you have an Internet Mail server on the NAT computer which distributes SMTP mail:

Source 0.0.0.0 Protocol TCP Destination Port 25

Source 0.0.0.0 Protocol TCP Source Port 25

IMPORTANT: The information in this article is not meant to be designated as a standard to follow in all instances. It is a guide which lists the ports and configurations of some of the more commonly used programs.

Keywords: kbenv kbhowto KB254018

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.