Without going into too much detail on why I need to do this, I'm trying to put the Windows XP Firewall into an allow all ports configuration, and only deny certain ports I have in a list.
I've scripted this via batch commandline with netsh firewall add portopening commands. From what I've read, if activated the firewall denies all traffic and only allows ports with exceptions, so via batch scripting I've opened all 65,000+ ports on both TCP and UDP, essentially having the firewall turned on but in an "allow all" configuration. I then deny the 100 or so ports from my list that I want blocked after they are all open.
This strategy appears to work, but the problem I anticipated and am now seeing is that svchost.exe is taking 50% of my CPU time, having to continuously process these firewall rules.
From what I've seen on Windows XP, there's no way to have the firewall ON and in an "allow all" configuration" because the XP firewall cannot have port ranges defined, they must be defined one by one. Looks like Windows Vista or 7 would be much easier since the firewall got an advanced capabilities re-vamp.
Does anyone have a suggestion on how to achieve this "allow all", deny certain" strategy? I realize this is a strange use of the Windows firewall but assuming I had to do this, is it possible?
Answer
Totally agree with afrazier comment...
As far as I know, there's no application or service requiering to open 65536 ports inbound!
To be clear, an open port is a port on which a service is running and ln listening state in order to answer to an external connection sollicitation. E.G. the port 80 HTTP for a web server with Apache (for example).
The incomming connection sollicitation is a TCP packet with the flag SYN and no data to the the required port: port 80 for a HTTP connection, 119 NNTP, 21 FTP and so on.
If the service is ready to allow a connection to this port, the server sent a TCP packet with the flags ACK, SYN to the client and the client confirm the connection sollicitation by a TCP packet with the flag ACK... and the connection enter in the established state. This is the normal handshake.
If the service on the listening port is'nt able to accept a connection it sent a TCP packet with the flags ACK, RST: this is a closed port...
Hmmm... to make a long story short:
1- You need a Third party firewal. May be Look'n Stop which is a
ruled based firewall.2- Configure the application requiring to open these large number of
ports and set the rule ONLY for this application3- Put the this rule before the rule blocking all other TCP incomming
connections sollicitations (with the flag SYN) and so on...
Hope this help. Let us know. :)
No comments:
Post a Comment