A hand made freeware windows firewall
I have two windows servers that shouldn’t talk to each other. How do I make sure they don’t?
Right, why not use some firewall? well, because I can’t just install any software on these servers, company regulations, and windows’ built-in firewall suck big time (only inbound, have to configure ALL exceptions).
On Linux this is quite a trivial IPTables command. Run the following on server#1:
iptables -I INPUT -s server#2 -j DROP iptables -I OUTPUT -d server#2 -j DROP
Unfortunately there’s nothing like IPTables built into windows.
Driving inspired from the IPTables concept of routing the packets to the trashcan (“
-j drop“), I realized that much same could be implemented on windows by twicking the OS routing table causing it to deliver packets for server#2 to no where.
Here’s my hand tailored, freeware, no software required, windows firewall that sends packets to a vacation in /dev/null:
route ADD 184.108.40.206 MASK 255.255.255.255 220.127.116.11
Server#1 IP is 18.104.22.168
Server#2 IP is 22.214.171.124
126.96.36.199 isn’t assigned to anyone – our /dev/null for the occasion.
If you add the route instruction only to server#1, but not to server#2, then server#2 can still send IP packets to server#1, while this breaks TCP completely, server#2 could still send UDP datagrams to server#1.
Make sure the servers are configured with static IP, otherwise your solution would break over time. In order to make the route persistent across server reboots, add the -p flag.
This entry was posted by Gili Nachum on June 12, 2009 at 17:42, and is filed under Operating Systems. Follow any responses to this post through RSS 2.0. You can leave a response or trackback from your own site.
No comments yet.
No trackbacks yet.
about 2 years ago - 4 comments
One upon a time (Jan 2009) I’ve written this post, basically saying that you’re not likely to be able to spoof IP address over the Internet. Turns out I was dead wrong! It happened so the very experienced Mr Filipe, from Brazil, came across the post and left me a comment saying that Spoofing over…
about 3 years ago - 2 comments
WebSphere have announced WAS hypervisor edition. You get an OVF package with a ready to use WAS profile running on Linux. The OVF package can be deployed on VMWare ESX/ESXi and IBM’s cludeburst appliance. Websphere also say that they carried out WAS best-practice tuning for the OS. Not sure how mattering this tuning is considering…
about 3 years ago - No comments
This post is about NATing an ESX VM, but first, why do I need NAT: The SIP protocol is not NAT oblivious. To traverse NAT our application has to replace the DNS in the SIP message contact header to the external FQDN that the message receiver will be sending responses to (A NAT with static…
about 3 years ago - 2 comments
Avi Ribchinsky, a friend and a college of mien, is transitioning from C++ to the Java world. He had been playing with Thread.sleep(), when he noticed that the sleep method might oversleep more than ordered, and moreover, it could also under sleep (see Fig 1). Coming from the C++ world, that surely caught him surprised…
about 4 years ago - 15 comments
Why did I wanted to spoof source IP addresses? and why did I failed? Here’s the story before you: ———— UPDATE Sep/2010: Dear Filipe (see comments below) had proven to me that spoofing over the internet is indeed possible, read all about it on the continuation post: My attempts with IP Spoofing – Revisited. Now…
about 4 years ago - 3 comments
I just read through most of O’Reilly’s Linux Server Hacks book. I expected another dull Linux how-to book, which goes over the man/info of the most obvious commands, but instead I found an interesting, original, advanced hardcore book, full of Linux goodies to brag about in front of my colleagues. Some note worthy items: A…
about 4 years ago - No comments
When using the VMWare convertor utility to convert between VmWare player/Workstation/server VM images to an ESX image, if the VM you are converting is Linux you might run into boot problems (“kernel panic” message) due to SCSI drivers problems. I found a couple of resources about the problem but none fully worked for me, here…
about 4 years ago - 2 comments
Lately, I’ve been crossing paths with too many enterprise-level server products that, once installed, can’t tolerate any change to the local machine’s hostname. Don’t get me wrong, I’m not spoiled to dare wishing that a hostname change will be handle in run-time, without a restart. I’m not even suggesting that the change would be automatically…