Guest Scott S. Posted June 19, 2008 Posted June 19, 2008 I've just setup a new Windows Web Server 2008 machine. I installed the OS and joined it to my domain, setup some shared folders and copied some files on to it. I had it running really well on the LAN. Then I insttaled a 2nd NIC which I connected directly to our external router and assigned it a static internet IP. I could see the preliminary "under construction" website and things were looking good. I then ran a port scan on the external IP and it had lots of stuff open. I went into "Windows Firewall with Advanced Security" and found LOTS of rules to allow "Core Networking" and "File and Printer Sharing". The Core networking stuff looked fine, but the "File and Printer Sharing" definitions existed 3 times each, one for each profile "Private", "Domain", and "Public". So I remeoved the Public versions of each of those. The the port scan only showed port 80 open ... again I thought all was well. But now I can no longer find that machine or access its shares from the LAN NIC! But it can get to the other machines on the LAN. Network and Sharing center shows the LAN NIC and a "Domain network" with "Local only" access and the Internet NIC as "Public network" with "Local and Internet" access. It also shows Network discovery as "Custom" and File sharing a "On". I tried turing the firewall off for the Private and Domain profiles, but it makes no difference. No matter what I try, and I've tried a lot, I get one of 3 things: 1) Nothing works 2) Everything works but leaves lots of open ports it Internet 3) Internet access is perfect but inbound LAN access doesn't work, outbound ok. Does anybody know how to get the firewall to either guard just the Internet NIC, or how to have different rules for each NIC? Quote
Guest Daniel Petri Posted June 22, 2008 Posted June 22, 2008 First of all, are you sure you didn't delete any of the default FW rules? I would restore to defaults by using the Windows FW with Advanced Security context menu. As for your question - each rule has an advanced tab. In it, you can click on the Interfaces Customize button, and bingo. -- Sincerely, Daniel Petri MVP, Senior IT consultant, trainer www.petri.co.il "Scott S." <ScottS@community.nospam> wrote in message news:16856728-3592-437B-9EF9-FF38BD21030F@microsoft.com...<span style="color:blue"> > I've just setup a new Windows Web Server 2008 machine. > I installed the OS and joined it to my domain, setup some shared folders > and > copied some files on to it. I had it running really well on the LAN. > Then I insttaled a 2nd NIC which I connected directly to our external > router > and assigned it a static internet IP. > I could see the preliminary "under construction" website and things were > looking good. I then ran a port scan on the external IP and it had lots > of > stuff open. > I went into "Windows Firewall with Advanced Security" and found LOTS of > rules to allow "Core Networking" and "File and Printer Sharing". The Core > networking stuff looked fine, but the "File and Printer Sharing" > definitions > existed 3 times each, one for each profile "Private", "Domain", and > "Public". > So I remeoved the Public versions of each of those. > The the port scan only showed port 80 open ... again I thought all was > well. > But now I can no longer find that machine or access its shares from the > LAN > NIC! > But it can get to the other machines on the LAN. > > Network and Sharing center shows the LAN NIC and a "Domain network" with > "Local only" access and the Internet NIC as "Public network" with "Local > and > Internet" access. It also shows Network discovery as "Custom" and File > sharing a "On". > > I tried turing the firewall off for the Private and Domain profiles, but > it > makes no difference. No matter what I try, and I've tried a lot, I get > one > of 3 things: > 1) Nothing works > 2) Everything works but leaves lots of open ports it Internet > 3) Internet access is perfect but inbound LAN access doesn't work, > outbound > ok. > > Does anybody know how to get the firewall to either guard just the > Internet > NIC, or how to have different rules for each NIC? </span> Quote
Guest Scott S. Posted June 23, 2008 Posted June 23, 2008 I'd already looked at that. In my Windows Server 2008 machine, it lists: Local area network Remote access Wireless So it doesn't seem to help me when I want to apply the rules to only one of two NICs, because they are both consider a LAN. "Daniel Petri <MVP>" wrote: <span style="color:blue"> > First of all, are you sure you didn't delete any of the default FW rules? I > would restore to defaults by using the Windows FW with Advanced Security > context menu. > > As for your question - each rule has an advanced tab. In it, you can click > on the Interfaces Customize button, and bingo. > > -- > Sincerely, > > Daniel Petri > MVP, Senior IT consultant, trainer > www.petri.co.il > > "Scott S." <ScottS@community.nospam> wrote in message > news:16856728-3592-437B-9EF9-FF38BD21030F@microsoft.com...<span style="color:green"> > > I've just setup a new Windows Web Server 2008 machine. > > I installed the OS and joined it to my domain, setup some shared folders > > and > > copied some files on to it. I had it running really well on the LAN. > > Then I insttaled a 2nd NIC which I connected directly to our external > > router > > and assigned it a static internet IP. > > I could see the preliminary "under construction" website and things were > > looking good. I then ran a port scan on the external IP and it had lots > > of > > stuff open. > > I went into "Windows Firewall with Advanced Security" and found LOTS of > > rules to allow "Core Networking" and "File and Printer Sharing". The Core > > networking stuff looked fine, but the "File and Printer Sharing" > > definitions > > existed 3 times each, one for each profile "Private", "Domain", and > > "Public". > > So I remeoved the Public versions of each of those. > > The the port scan only showed port 80 open ... again I thought all was > > well. > > But now I can no longer find that machine or access its shares from the > > LAN > > NIC! > > But it can get to the other machines on the LAN. > > > > Network and Sharing center shows the LAN NIC and a "Domain network" with > > "Local only" access and the Internet NIC as "Public network" with "Local > > and > > Internet" access. It also shows Network discovery as "Custom" and File > > sharing a "On". > > > > I tried turing the firewall off for the Private and Domain profiles, but > > it > > makes no difference. No matter what I try, and I've tried a lot, I get > > one > > of 3 things: > > 1) Nothing works > > 2) Everything works but leaves lots of open ports it Internet > > 3) Internet access is perfect but inbound LAN access doesn't work, > > outbound > > ok. > > > > Does anybody know how to get the firewall to either guard just the > > Internet > > NIC, or how to have different rules for each NIC? </span> > </span> Quote
Guest Steve Riley [MSFT] Posted June 23, 2008 Posted June 23, 2008 The firewall in Windows Vista and Server 2008 applies a single policy to the entire machine. The firewall/IPsec engine thinks at the IP layer, not at the NIC layer. While I haven't tried this personally, here's a thought. Configure an inbound rule that permits all traffic from your internal subnet and another rule that permits only HTTP from all addresses. -- Steve Riley steve.riley@microsoft.com http://blogs.technet.com/steriley http://www.protectyourwindowsnetwork.com "Scott S." <ScottS@community.nospam> wrote in message news:3B68E2FD-6A49-467A-8594-657D11E874A0@microsoft.com...<span style="color:blue"> > I'd already looked at that. > In my Windows Server 2008 machine, it lists: > Local area network > Remote access > Wireless > So it doesn't seem to help me when I want to apply the rules to only one > of > two NICs, because they are both consider a LAN. > > "Daniel Petri <MVP>" wrote: ><span style="color:green"> >> First of all, are you sure you didn't delete any of the default FW rules? >> I >> would restore to defaults by using the Windows FW with Advanced Security >> context menu. >> >> As for your question - each rule has an advanced tab. In it, you can >> click >> on the Interfaces Customize button, and bingo. >> >> -- >> Sincerely, >> >> Daniel Petri >> MVP, Senior IT consultant, trainer >> www.petri.co.il >> >> "Scott S." <ScottS@community.nospam> wrote in message >> news:16856728-3592-437B-9EF9-FF38BD21030F@microsoft.com...<span style="color:darkred"> >> > I've just setup a new Windows Web Server 2008 machine. >> > I installed the OS and joined it to my domain, setup some shared >> > folders >> > and >> > copied some files on to it. I had it running really well on the LAN. >> > Then I insttaled a 2nd NIC which I connected directly to our external >> > router >> > and assigned it a static internet IP. >> > I could see the preliminary "under construction" website and things >> > were >> > looking good. I then ran a port scan on the external IP and it had >> > lots >> > of >> > stuff open. >> > I went into "Windows Firewall with Advanced Security" and found LOTS of >> > rules to allow "Core Networking" and "File and Printer Sharing". The >> > Core >> > networking stuff looked fine, but the "File and Printer Sharing" >> > definitions >> > existed 3 times each, one for each profile "Private", "Domain", and >> > "Public". >> > So I remeoved the Public versions of each of those. >> > The the port scan only showed port 80 open ... again I thought all was >> > well. >> > But now I can no longer find that machine or access its shares from the >> > LAN >> > NIC! >> > But it can get to the other machines on the LAN. >> > >> > Network and Sharing center shows the LAN NIC and a "Domain network" >> > with >> > "Local only" access and the Internet NIC as "Public network" with >> > "Local >> > and >> > Internet" access. It also shows Network discovery as "Custom" and File >> > sharing a "On". >> > >> > I tried turing the firewall off for the Private and Domain profiles, >> > but >> > it >> > makes no difference. No matter what I try, and I've tried a lot, I get >> > one >> > of 3 things: >> > 1) Nothing works >> > 2) Everything works but leaves lots of open ports it Internet >> > 3) Internet access is perfect but inbound LAN access doesn't work, >> > outbound >> > ok. >> > >> > Does anybody know how to get the firewall to either guard just the >> > Internet >> > NIC, or how to have different rules for each NIC?</span> >> </span></span> Quote
Guest Scott S. Posted June 24, 2008 Posted June 24, 2008 I finally discovered a way ... Set up all the "Windows Firewall with Advanced Security" inbound and outbound rules to make the machine closed to all but the ports wanted open on the public NIC. Go to Control Panel, Windows Firewall, Change Settings wich gives a much more basic interface to the firewall. Then on it's Advanced tab I found a option not available in the Advanced Security interface. I could completely turn off the firewall on the private NIC. I makes the firewall settings area of Windows Security turn red and say that "Windows Firewall is not using the recommended settings", but it then does exactly what I needed. "Scott S." wrote: <span style="color:blue"> > I've just setup a new Windows Web Server 2008 machine. > I installed the OS and joined it to my domain, setup some shared folders and > copied some files on to it. I had it running really well on the LAN. > Then I insttaled a 2nd NIC which I connected directly to our external router > and assigned it a static internet IP. > I could see the preliminary "under construction" website and things were > looking good. I then ran a port scan on the external IP and it had lots of > stuff open. > I went into "Windows Firewall with Advanced Security" and found LOTS of > rules to allow "Core Networking" and "File and Printer Sharing". The Core > networking stuff looked fine, but the "File and Printer Sharing" definitions > existed 3 times each, one for each profile "Private", "Domain", and "Public". > So I remeoved the Public versions of each of those. > The the port scan only showed port 80 open ... again I thought all was well. > But now I can no longer find that machine or access its shares from the LAN > NIC! > But it can get to the other machines on the LAN. > > Network and Sharing center shows the LAN NIC and a "Domain network" with > "Local only" access and the Internet NIC as "Public network" with "Local and > Internet" access. It also shows Network discovery as "Custom" and File > sharing a "On". > > I tried turing the firewall off for the Private and Domain profiles, but it > makes no difference. No matter what I try, and I've tried a lot, I get one > of 3 things: > 1) Nothing works > 2) Everything works but leaves lots of open ports it Internet > 3) Internet access is perfect but inbound LAN access doesn't work, outbound > ok. > > Does anybody know how to get the firewall to either guard just the Internet > NIC, or how to have different rules for each NIC?</span> Quote
Guest Stefan Kanthak Posted June 30, 2008 Posted June 30, 2008 "Steve Riley [MSFT]" <steve.riley@microsoft.com> wrote: <span style="color:blue"> > The firewall in Windows Vista and Server 2008 applies a single policy to the > entire machine. The firewall/IPsec engine thinks at the IP layer, not at the > NIC layer.</span> .... and is therefore not the right tool for the anticipated job! What happened to the good old bindings of network protocols/services to NICs? A service not bound to a specific NIC or IP address (or simply not run at all) doesn't need a "firewall" to block unwanted traffic to/from it! <span style="color:blue"> > While I haven't tried this personally, here's a thought. Configure an > inbound rule that permits all traffic from your internal subnet and another > rule that permits only HTTP from all addresses.</span> Does 2008 still bind DirectSMB to all NICs, without any possibility for its configuration, except to disable it for all NICs through a registry setting? Stefan [ full quote removed ] Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.