Professional Documents
Culture Documents
One of the most simple and most powerful methods of controlling inbound access is to use the TCP/IP filtering feature. TCP/IP filtering is available on all Windows 2003-based computers. TCP/IP filtering helps with security because it works in kernel mode. In contrast, other methods of controlling inbound access to Windows 2003-based computers, such as by using the IPSec Policy filter and the Routing and Remote Access server, depend on user-mode processes or the Workstation and Server services. You can layer your TCP/IP inbound access control scheme by using TCP/IP filtering with IPSec filters and Routing and Remote Access packet filtering. This approach is especially useful if you want to control both inbound and outbound TCP/IP access, because TCP/IP security alone controls only inbound access. Note TCP/IP filtering can filter only inbound traffic and cannot block ICMP messages, regardless of the settings that are configured in the Permit Only IP Protocols column or whether you do not permit Internet Protocol 1. Use IPSec Policies or packet filtering if you need more control over outbound access. Note We recommend that you use the Configure E-mail and Internet Connection Wizard on SBS 2003-based computers with two network adaptors, and that you turn on the Firewall option and then open the required ports on the external network adaptor. For more information about the Configure E-mail and Internet Connection Wizard, click Start, and then click Help and Support. In the Search box, type Configure E-mail and Internet Connection Wizard, and then click Start Searching. You can find information about the Configure E-mail and Internet Connection Wizard in the Small Business Server Topics result set list.
Note When Permit All is activated, you permit all packets for TCP or UDP traffic. Permit Only lets you to permit only selected TCP or UDP traffic by adding the allowed ports. To specify the ports, you use the Add button. To block all UDP or TCP traffic, click Permit Only but do not add any port numbers in the UDP Ports column or TCP Ports column. You cannot block UDP or TCP traffic by selecting Permit Only for IP Protocols and excluding IP protocols 6 and 17.
Permit All. Select this option if you want to permit all packets for TCP or UDP traffic. o Permit Only. Select this option if you want to permit only selected TCP or UDP traffic, click Add, and then type the appropriate port or protocol number in the
Add Filter dialog box. You cannot block UDP or TCP traffic by selecting Permit Only in the IP Protocols column and by then adding IP protocols 6 and 17. Note You cannot block ICMP messages, even if you select Permit Only in the IP Protocols column and then you do not include IP protocol 1. TCP/IP Filtering can filter only inbound traffic. This feature does not affect outbound traffic or TCP response ports that are created to accept responses from outbound requests. Use IPSec Policies or Routing and Remote Access packet filtering if you require more control over outbound access. Note If you select Permit Only in UDP Ports, TCP Ports, or the IP Protocols column and the lists are left blank, the network adaptor will not be able to communicate with anything over a network, either locally or to the Internet.