Configuring RRAS IP Routing for firewall functionality
Here is the scenario:
VPS with Windows 2003 Server x64 SP2
I would like to configure the RRAS as a firewall. I think it works except for two things:
1. I can't get packet logging working. I have turned on:
a. rras->server->properties->logging:
log all entries
log additional routing and remote access information
b. rras->server->ip routing->general->properties->logging
log the maximum amount of information
c. rras->server->remote access logging
all check boxes
d. netsh ras set tracing * enabled
I get a lot of logs in windir/tracing but nothing that resembles packets. It only logs what server does..
2. I can't access the web from within the server. Here is my setup:
set loglevel info
add preferenceforprotocol proto=LOCAL preflevel=1
add preferenceforprotocol proto=STATIC preflevel=3
add preferenceforprotocol proto=NONDOD preflevel=5
add preferenceforprotocol proto=AUTOSTATIC preflevel=7
add preferenceforprotocol proto=NetMgmt preflevel=10
add preferenceforprotocol proto=OSPF preflevel=110
add preferenceforprotocol proto=RIP preflevel=-1
add interface name="venet0" state=enable
set filter name="venet0" filtertype=INPUT action=DROP
add filter name="venet0" filtertype=INPUT srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=xxx.xxx.xxx.xxx dstmask=255.255.255.240 proto=TCP srcport=0 dstport=3389
add filter name="venet0" filtertype=INPUT srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=xxx.xxx.xxx.xxx dstmask=255.255.255.240 proto=TCP srcport=0 dstport=21
add filter name="venet0" filtertype=INPUT srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=xxx.xxx.xxx.xxx dstmask=255.255.255.240 proto=TCP srcport=0 dstport=25
add filter name="venet0" filtertype=INPUT srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=xxx.xxx.xxx.xxx dstmask=255.255.255.240 proto=TCP srcport=0 dstport=45
add filter name="venet0" filtertype=INPUT srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=xxx.xxx.xxx.xxx dstmask=255.255.255.240 proto=TCP srcport=0 dstport=53
add filter name="venet0" filtertype=INPUT srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=xxx.xxx.xxx.xxx dstmask=255.255.255.240 proto=UDP srcport=0 dstport=53
add filter name="venet0" filtertype=INPUT srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=xxx.xxx.xxx.xxx dstmask=255.255.255.240 proto=TCP srcport=0 dstport=80
add filter name="venet0" filtertype=INPUT srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=xxx.xxx.xxx.xxx dstmask=255.255.255.240 proto=TCP srcport=0 dstport=110
add filter name="venet0" filtertype=INPUT srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=xxx.xxx.xxx.xxx dstmask=255.255.255.240 proto=TCP srcport=0 dstport=443
add filter name="venet0" filtertype=INPUT srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=xxx.xxx.xxx.xxx dstmask=255.255.255.240 proto=TCP srcport=0 dstport=995
add filter name="venet0" filtertype=INPUT srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=xxx.xxx.xxx.xxx dstmask=255.255.255.240 proto=TCP srcport=0 dstport=465
add filter name="venet0" filtertype=INPUT srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=xxx.xxx.xxx.xxx dstmask=255.255.255.240 proto=TCP srcport=0 dstport=8443
add filter name="venet0" filtertype=INPUT srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=xxx.xxx.xxx.xxx dstmask=255.255.255.240 proto=TCP srcport=0 dstport=8425
add filter name="venet0" filtertype=INPUT srcaddr=218.5.80.210 srcmask=255.255.255.255 dstaddr=xxx.xxx.xxx.xxx dstmask=255.255.255.240 proto=ANY
add filter name="venet0" filtertype=INPUT srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=xxx.xxx.xxx.xxx dstmask=255.255.255.240 proto=TCP srcport=0 dstport=5000
add filter name="venet0" filtertype=INPUT srcaddr=69.13.54.128 srcmask=255.255.255.240 dstaddr=xxx.xxx.xxx.xxx dstmask=255.255.255.240 proto=ANY
add filter name="venet0" filtertype=INPUT srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=xxx.xxx.xxx.xxx dstmask=255.255.255.240 proto=ICMP type=0 code=0
add filter name="venet0" filtertype=INPUT srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=xxx.xxx.xxx.xxx dstmask=255.255.255.240 proto=ICMP type=3 code=0
add filter name="venet0" filtertype=INPUT srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=xxx.xxx.xxx.xxx dstmask=255.255.255.240 proto=ICMP type=4 code=0
add filter name="venet0" filtertype=INPUT srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=xxx.xxx.xxx.xxx dstmask=255.255.255.240 proto=ICMP type=5 code=0
add filter name="venet0" filtertype=INPUT srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=xxx.xxx.xxx.xxx dstmask=255.255.255.240 proto=ICMP type=6 code=0
add filter name="venet0" filtertype=INPUT srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=xxx.xxx.xxx.xxx dstmask=255.255.255.240 proto=ICMP type=8 code=0
add filter name="venet0" filtertype=INPUT srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=xxx.xxx.xxx.xxx dstmask=255.255.255.240 proto=ICMP type=9 code=0
add filter name="venet0" filtertype=INPUT srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=xxx.xxx.xxx.xxx dstmask=255.255.255.240 proto=ICMP type=10 code=0
add filter name="venet0" filtertype=INPUT srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=xxx.xxx.xxx.xxx dstmask=255.255.255.240 proto=ICMP type=11 code=0
add filter name="venet0" filtertype=INPUT srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=xxx.xxx.xxx.xxx dstmask=255.255.255.240 proto=TCP srcport=0 dstport=12443
add filter name="venet0" filtertype=INPUT srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=66.79.172.113 dstmask=255.255.255.255 proto=ANY
add filter name="venet0" filtertype=INPUT srcaddr=xxx.xxx.xxx.xxx srcmask=255.255.255.240 dstaddr=0.0.0.0 dstmask=0.0.0.0 proto=TCP srcport=80 dstport=0
add filter name="venet0" filtertype=INPUT srcaddr=xxx.xxx.xxx.xxx srcmask=255.255.255.240 dstaddr=0.0.0.0 dstmask=0.0.0.0 proto=TCP srcport=443 dstport=0
add filter name="venet0" filtertype=INPUT srcaddr=xxx.xxx.xxx.xxx srcmask=255.255.255.240 dstaddr=0.0.0.0 dstmask=0.0.0.0 proto=TCP srcport=53 dstport=0
add filter name="venet0" filtertype=INPUT srcaddr=xxx.xxx.xxx.xxx srcmask=255.255.255.240 dstaddr=0.0.0.0 dstmask=0.0.0.0 proto=UDP srcport=53 dstport=0
add filter name="venet0" filtertype=INPUT srcaddr=xxx.xxx.xxx.xxx srcmask=255.255.255.240 dstaddr=0.0.0.0 dstmask=0.0.0.0 proto=TCP srcport=25 dstport=0
set filter name="venet0" fragcheck=enable
add interface name="Internal" state=disable
set filter name="Internal" fragcheck=disable
add interface name="Loopback" state=enable
set filter name="Loopback" fragcheck=disable
xxx.xxx.xxx.xxx is my subnet. NAT is not cofigured ( or desired )
As I see it, I have no outgoing filters, so everything should pass through. Also I have set inbound filters to let packets with source from my subnet through.
What am I doing wrong ?
June 30th, 2012 4:04pm
Hi,
Please check the article below to see if it can be helpful to you:
Remote Access Design Guidelines Part 4: IP Routing and DNS
http://blogs.technet.com/b/rrasblog/archive/2009/03/17/remote-access-design-guidelines-part-4-ip-routing-and-dns.aspx
In the meantime, I suggest we ask in our Networking forum to get more effective suggestion by other experts who familiar with this topic.
Network Infrastructure Servers
http://social.technet.microsoft.com/Forums/en/winserverNIS/threads
Your understanding is appreciated.
Regards
Kevin
Free Windows Admin Tool Kit Click here and download it now
July 2nd, 2012 3:30am
Hi,
Please check the article below to see if it can be helpful to you:
Remote Access Design Guidelines Part 4: IP Routing and DNS
http://blogs.technet.com/b/rrasblog/archive/2009/03/17/remote-access-design-guidelines-part-4-ip-routing-and-dns.aspx
In the meantime, I suggest we ask in our Networking forum to get more effective suggestion by other experts who familiar with this topic.
Network Infrastructure Servers
http://social.technet.microsoft.com/Forums/en/winserverNIS/threads
Your understanding is appreciated.
Regards
Kevin
July 2nd, 2012 3:30am
Thanks Kevin, I posted there pointing here:
http://social.technet.microsoft.com/Forums/en/winserverNIS/thread/119a8ac5-1049-414d-979e-8a7c4ec88581
Free Windows Admin Tool Kit Click here and download it now
July 2nd, 2012 4:45am
I have had no help from the replies on either threads I am afraid. My understanding at the moment is RRAS is not fit to use for ip-filtering alone eventhough one might think that.
July 17th, 2012 8:43pm