Поделиться через


RRAS static packet filters - do's and don'ts

Microsoft RRAS includes a stateless 5 tuple packet filter - also called as Inbound & Outbound packet filters (or static filters). These filters can be applied on any interface - public, private OR per PPP connection too or in other words - it can do filtering for packets destined to/originated from RRAS server as well as packets being forwarded. It allows packet to be filtered based upon source IP address/mask, destination IP address/mask, IP protocol type, Source port number (for TCP/UDP), destination port number (for TCP/UDP).

Dos:

1) Use RRAS static filters to do a minimal packet filtering on all the IP packets received from the Internet side or sent to the Internet side.

Common configuration can be - when RRAS is configured as VPN server - allow only VPN traffic and drop rest. In this case, the filters will be configured on the LAN interface connected to Internet - via RRAS erver MMC snap-in. Note: RRAS Basic firewall can be used in this case as an alternative.

2) RRAS static filters can also be applied for per PPP connection (i.e. VPN or dialup connection). In this case, the filters will be configured via remote access policy and applied on the forwarding path. All the traffic coming in/out of PPP connection from a given user/group that matches a given remote access policy will be applied against that set of filters. This is also useful for quarantine (RQS/RQC or VPN NAP) cases - to restrict the unhealthy host to a quarantined network. Note: RRAS basic firewall can't be used on RRAS server in this case - as it is a host firewall and not a network firewall.

3) If RRS server is deployed as a LAN router, the same static filters can be used to do filtering in the forwarding path. Note: RRAS basic firewall can't be used on RRAS server in this case - as it is a host firewall and not a network firewall.

4) If RRAS server is configured with static filters and the same machine is running some other application server (like a HTTP server) that can be accessed from the Internet side , ensure the relevant port numbers of these other application servers are also enabled. Otherwise those application servers may not be accessible from Internet side - because by default when RRAS is configured with default options, RRAS code adds filters to allow only VPN traffic and drops rest all.

To display and modify these filters, go to Routing and Remote Access>IP Routing>General, and then select the relevant interface, click Properties and you can add/delte or edit the packet filters for Inbound or outbound direction.

Don'ts:

1) They are stateless means every packet is matched against each filter and filter driver code doesn't maintain any state across the packets. This means if any application which opens new port numbers later on (like FTP) cannot be used via RRAS static filters. Or in other words if you are enabling RRAS packet filtering to block all packets except the packets received by these kind of applications (like FTP), then these application will not work correctly.

2) If RRAS server is running as a NAT router, don't enable static filters. Also lot of folks think NAT as a minimal firewall as it hides the private network from public network - but that is not "entirely" true. First even if NAT is enabled on RRAS box with no filters/basic firewall/Windows firewall, all services running on your RRAS box is open from Internet side. Secondly somebody can still generate brute-force attack to send in some packets on the LAN side. It is better to enable Windows firewall or Basic firewall on RRAS box + enable some form of host firewall on each machine on the LAN side.

3) Think these as pure simple stateless filters and don't think it as a stateful firewall (like Windows firewall or ISA enterprise firewall) or intrusion detection system. Use it for simple packet filtering configuration - like allow only VPN traffic or xyz traffic from Internet and drop rest all.

References:

[1] RRAS Server in Windows server 2008: Which one to use - Windows firewall or RRAS filters

[2] Which ports to unblock for VPN traffic to pass-through

Samir Jain
Lead Program Manager
RRAS, Windows Enterprise Networking

[This posting is provided "AS IS" with no warranties, and confers no rights.]

Comments