Archive for June, 2009
I have two windows servers that shouldn’t talk to each other. How do I make sure they don’t?
Right, why not use some firewall? well, because I can’t just install any software on these servers, company regulations, and windows’ built-in firewall suck big time (only inbound, have to configure ALL exceptions).
On Linux this is quite a trivial IPTables command. Run the following on server#1:
iptables -I INPUT -s server#2 -j DROP iptables -I OUTPUT -d server#2 -j DROP
Unfortunately there’s nothing like IPTables built into windows.
Driving inspired from the IPTables concept of routing the packets to the trashcan (“
-j drop“), I realized that much same could be implemented on windows by twicking the OS routing table causing it to deliver packets for server#2 to no where.
Here’s my hand tailored, freeware, no software required, windows firewall that sends packets to a vacation in /dev/null:
route ADD 126.96.36.199 MASK 255.255.255.255 188.8.131.52
Server#1 IP is 184.108.40.206
Server#2 IP is 220.127.116.11
18.104.22.168 isn’t assigned to anyone – our /dev/null for the occasion.
If you add the route instruction only to server#1, but not to server#2, then server#2 can still send IP packets to server#1, while this breaks TCP completely, server#2 could still send UDP datagrams to server#1.
Make sure the servers are configured with static IP, otherwise your solution would break over time. In order to make the route persistent across server reboots, add the -p flag.
Could stackoverflow.com, or any other programming Q&A service, be the alternative for a serious think process, in which you just put in your question and immediately granted with the perfect answer? Hopefully it is.
To test that I’ve submitted the following “how to regulate the amount of logging printouts” question. Let’s wait, pray, and see if I get any smart/unpredicted answer from any of the 6 billion inhabitant of planet Earth.