Packet Filtering Windows 2000 Cheap and Easy

Dirk van Deun
dirk at dinf.vub.ac.be

Many so-called personal firewalls for Windows are free for personal use, but you have to pay for using them within an organisation. There is one exception I know of, an older version of the software made by Agnitum. I've tried it, and it seems fine for deployment in secretary's offices and such, where you expect users to be more or less educated and cooperative, but it takes some configuration by the user.

To harden the computers in public computer rooms however, such personal firewalls are too hands-on and clicky-clicky for my taste. I prefer something I can configure with a script file like the linux or BSD packet filters. That is why I use the too-little-known tool ipsecpol, which was originally intended only to configure the IPSec subsystem, to make and install an IPSec policy that blocks the vulnerable open ports of Windows 2000 clients (also known as "all of them").

You can download the tool for free, install it, and read the help pages by running ipsecpol -?. I will not repeat the contents of that manual page here, but you could for instance use ipsecpol -file ipsecpol-script to install the following example policy called PF into the registry (-w REG) and activate it for all network connections (-x in the last line). The example configuration blocks incoming connections from all hosts except 134.184.49.3, which is our samba server. For a standalone home system, you would need only the upper half of the configuration file (add the -x).

-w REG -f *:*=0:135:TCP -n BLOCK -p PF -r rpc-block
-w REG -f *:*=0:139:TCP -n BLOCK -p PF -r netbios-ssn-block
-w REG -f *:*=0:137:UDP -n BLOCK -p PF -r netbios-ns-block
-w REG -f *:*=0:138:UDP -n BLOCK -p PF -r netbios-dgm-block
-w REG -f *:*=0:445:TCP -n BLOCK -p PF -r smb-tcp-block
-w REG -f *:*=0:445:UDP -n BLOCK -p PF -r smb-udp-block
-w REG -f *:*=0:500:UDP -n BLOCK -p PF -r key-exchange-block
-w REG -f *:*=0:4500:UDP -n BLOCK -p PF -r key-exchange-extra-block
-w REG -f 134.184.49.3+0:135:TCP -n PASS -p PF -r rpc-pass
-w REG -f 134.184.49.3+0:139:TCP -n PASS -p PF -r netbios-ssn-pass
-w REG -f 134.184.49.3+0:137:UDP -n PASS -p PF -r netbios-ns-pass
-w REG -f 134.184.49.3+0:138:UDP -n PASS -p PF -r netbios-dgm-pass
-w REG -f 134.184.49.3+0:445:TCP -n PASS -p PF -r smb-tcp-pass
-w REG -f 134.184.49.3+0:445:UDP -n PASS -p PF -r smb-udp-pass
-w REG -f 134.184.49.3+0:500:UDP -n PASS -p PF -r key-exchange-pass
-w REG -f 134.184.49.3+0:4500:UDP -n PASS -p PF -r key-exchange-extra-pass -x

You can download the example script here.

The effect would be that in the network settings for all network cards, you would find the policy PF activated in the IPSec settings. You could also run gpedit.msc and select Windows Settings, then Security Settings, then IP Security Policies to browse through the policy. (The -r arguments in the script only serve to make the policy more readable.)

I have tested it, and it seems to work. It isn't as good as for instance the OpenBSD packet filter, because there is no provision for keeping the state of an open connection, nor an ftp proxy. This makes it impossible to write a configuration that allows nothing to pass in, except replies to outgoing traffic; if that would have been possible, the example configuration would have been shorter and probably safer.

Note that these settings do not shut out all commercial messenger popups. They shut out the popup spam directed at port 135, but not the popup spam directly aimed at ephemeral UDP ports like 1026, 1027, 1028, that are often used by the messenger service. You could also block access to these ports using firewall settings, but it is better to just disable the blasted service altogether.