Firewall issues on dual NIC server

  • Thread starter Thread starter Scott S.
  • Start date Start date
S

Scott S.

I've just setup a new Windows Web Server 2008 machine.
I installed the OS and joined it to my domain, setup some shared folders and
copied some files on to it. I had it running really well on the LAN.
Then I insttaled a 2nd NIC which I connected directly to our external router
and assigned it a static internet IP.
I could see the preliminary "under construction" website and things were
looking good. I then ran a port scan on the external IP and it had lots of
stuff open.
I went into "Windows Firewall with Advanced Security" and found LOTS of
rules to allow "Core Networking" and "File and Printer Sharing". The Core
networking stuff looked fine, but the "File and Printer Sharing" definitions
existed 3 times each, one for each profile "Private", "Domain", and "Public".
So I remeoved the Public versions of each of those.
The the port scan only showed port 80 open ... again I thought all was well.
But now I can no longer find that machine or access its shares from the LAN
NIC!
But it can get to the other machines on the LAN.

Network and Sharing center shows the LAN NIC and a "Domain network" with
"Local only" access and the Internet NIC as "Public network" with "Local and
Internet" access. It also shows Network discovery as "Custom" and File
sharing a "On".

I tried turing the firewall off for the Private and Domain profiles, but it
makes no difference. No matter what I try, and I've tried a lot, I get one
of 3 things:
1) Nothing works
2) Everything works but leaves lots of open ports it Internet
3) Internet access is perfect but inbound LAN access doesn't work, outbound
ok.

Does anybody know how to get the firewall to either guard just the Internet
NIC, or how to have different rules for each NIC?
 
First of all, are you sure you didn't delete any of the default FW rules? I
would restore to defaults by using the Windows FW with Advanced Security
context menu.

As for your question - each rule has an advanced tab. In it, you can click
on the Interfaces Customize button, and bingo.

--
Sincerely,

Daniel Petri
MVP, Senior IT consultant, trainer
www.petri.co.il

"Scott S." <ScottS@community.nospam> wrote in message
news:16856728-3592-437B-9EF9-FF38BD21030F@microsoft.com...
> I've just setup a new Windows Web Server 2008 machine.
> I installed the OS and joined it to my domain, setup some shared folders
> and
> copied some files on to it. I had it running really well on the LAN.
> Then I insttaled a 2nd NIC which I connected directly to our external
> router
> and assigned it a static internet IP.
> I could see the preliminary "under construction" website and things were
> looking good. I then ran a port scan on the external IP and it had lots
> of
> stuff open.
> I went into "Windows Firewall with Advanced Security" and found LOTS of
> rules to allow "Core Networking" and "File and Printer Sharing". The Core
> networking stuff looked fine, but the "File and Printer Sharing"
> definitions
> existed 3 times each, one for each profile "Private", "Domain", and
> "Public".
> So I remeoved the Public versions of each of those.
> The the port scan only showed port 80 open ... again I thought all was
> well.
> But now I can no longer find that machine or access its shares from the
> LAN
> NIC!
> But it can get to the other machines on the LAN.
>
> Network and Sharing center shows the LAN NIC and a "Domain network" with
> "Local only" access and the Internet NIC as "Public network" with "Local
> and
> Internet" access. It also shows Network discovery as "Custom" and File
> sharing a "On".
>
> I tried turing the firewall off for the Private and Domain profiles, but
> it
> makes no difference. No matter what I try, and I've tried a lot, I get
> one
> of 3 things:
> 1) Nothing works
> 2) Everything works but leaves lots of open ports it Internet
> 3) Internet access is perfect but inbound LAN access doesn't work,
> outbound
> ok.
>
> Does anybody know how to get the firewall to either guard just the
> Internet
> NIC, or how to have different rules for each NIC?
 
I'd already looked at that.
In my Windows Server 2008 machine, it lists:
* Local area network
* Remote access
* Wireless
So it doesn't seem to help me when I want to apply the rules to only one of
two NICs, because they are both consider a LAN.

"Daniel Petri <MVP>" wrote:

> First of all, are you sure you didn't delete any of the default FW rules? I
> would restore to defaults by using the Windows FW with Advanced Security
> context menu.
>
> As for your question - each rule has an advanced tab. In it, you can click
> on the Interfaces Customize button, and bingo.
>
> --
> Sincerely,
>
> Daniel Petri
> MVP, Senior IT consultant, trainer
> www.petri.co.il
>
> "Scott S." <ScottS@community.nospam> wrote in message
> news:16856728-3592-437B-9EF9-FF38BD21030F@microsoft.com...
> > I've just setup a new Windows Web Server 2008 machine.
> > I installed the OS and joined it to my domain, setup some shared folders
> > and
> > copied some files on to it. I had it running really well on the LAN.
> > Then I insttaled a 2nd NIC which I connected directly to our external
> > router
> > and assigned it a static internet IP.
> > I could see the preliminary "under construction" website and things were
> > looking good. I then ran a port scan on the external IP and it had lots
> > of
> > stuff open.
> > I went into "Windows Firewall with Advanced Security" and found LOTS of
> > rules to allow "Core Networking" and "File and Printer Sharing". The Core
> > networking stuff looked fine, but the "File and Printer Sharing"
> > definitions
> > existed 3 times each, one for each profile "Private", "Domain", and
> > "Public".
> > So I remeoved the Public versions of each of those.
> > The the port scan only showed port 80 open ... again I thought all was
> > well.
> > But now I can no longer find that machine or access its shares from the
> > LAN
> > NIC!
> > But it can get to the other machines on the LAN.
> >
> > Network and Sharing center shows the LAN NIC and a "Domain network" with
> > "Local only" access and the Internet NIC as "Public network" with "Local
> > and
> > Internet" access. It also shows Network discovery as "Custom" and File
> > sharing a "On".
> >
> > I tried turing the firewall off for the Private and Domain profiles, but
> > it
> > makes no difference. No matter what I try, and I've tried a lot, I get
> > one
> > of 3 things:
> > 1) Nothing works
> > 2) Everything works but leaves lots of open ports it Internet
> > 3) Internet access is perfect but inbound LAN access doesn't work,
> > outbound
> > ok.
> >
> > Does anybody know how to get the firewall to either guard just the
> > Internet
> > NIC, or how to have different rules for each NIC?
>
 
The firewall in Windows Vista and Server 2008 applies a single policy to the
entire machine. The firewall/IPsec engine thinks at the IP layer, not at the
NIC layer.

While I haven't tried this personally, here's a thought. Configure an
inbound rule that permits all traffic from your internal subnet and another
rule that permits only HTTP from all addresses.

--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com



"Scott S." <ScottS@community.nospam> wrote in message
news:3B68E2FD-6A49-467A-8594-657D11E874A0@microsoft.com...
> I'd already looked at that.
> In my Windows Server 2008 machine, it lists:
> * Local area network
> * Remote access
> * Wireless
> So it doesn't seem to help me when I want to apply the rules to only one
> of
> two NICs, because they are both consider a LAN.
>
> "Daniel Petri <MVP>" wrote:
>
>> First of all, are you sure you didn't delete any of the default FW rules?
>> I
>> would restore to defaults by using the Windows FW with Advanced Security
>> context menu.
>>
>> As for your question - each rule has an advanced tab. In it, you can
>> click
>> on the Interfaces Customize button, and bingo.
>>
>> --
>> Sincerely,
>>
>> Daniel Petri
>> MVP, Senior IT consultant, trainer
>> www.petri.co.il
>>
>> "Scott S." <ScottS@community.nospam> wrote in message
>> news:16856728-3592-437B-9EF9-FF38BD21030F@microsoft.com...
>> > I've just setup a new Windows Web Server 2008 machine.
>> > I installed the OS and joined it to my domain, setup some shared
>> > folders
>> > and
>> > copied some files on to it. I had it running really well on the LAN.
>> > Then I insttaled a 2nd NIC which I connected directly to our external
>> > router
>> > and assigned it a static internet IP.
>> > I could see the preliminary "under construction" website and things
>> > were
>> > looking good. I then ran a port scan on the external IP and it had
>> > lots
>> > of
>> > stuff open.
>> > I went into "Windows Firewall with Advanced Security" and found LOTS of
>> > rules to allow "Core Networking" and "File and Printer Sharing". The
>> > Core
>> > networking stuff looked fine, but the "File and Printer Sharing"
>> > definitions
>> > existed 3 times each, one for each profile "Private", "Domain", and
>> > "Public".
>> > So I remeoved the Public versions of each of those.
>> > The the port scan only showed port 80 open ... again I thought all was
>> > well.
>> > But now I can no longer find that machine or access its shares from the
>> > LAN
>> > NIC!
>> > But it can get to the other machines on the LAN.
>> >
>> > Network and Sharing center shows the LAN NIC and a "Domain network"
>> > with
>> > "Local only" access and the Internet NIC as "Public network" with
>> > "Local
>> > and
>> > Internet" access. It also shows Network discovery as "Custom" and File
>> > sharing a "On".
>> >
>> > I tried turing the firewall off for the Private and Domain profiles,
>> > but
>> > it
>> > makes no difference. No matter what I try, and I've tried a lot, I get
>> > one
>> > of 3 things:
>> > 1) Nothing works
>> > 2) Everything works but leaves lots of open ports it Internet
>> > 3) Internet access is perfect but inbound LAN access doesn't work,
>> > outbound
>> > ok.
>> >
>> > Does anybody know how to get the firewall to either guard just the
>> > Internet
>> > NIC, or how to have different rules for each NIC?
>>
 
I finally discovered a way ...
* Set up all the "Windows Firewall with Advanced Security" inbound and
outbound rules to make the machine closed to all but the ports wanted open on
the public NIC.
* Go to Control Panel, Windows Firewall, Change Settings wich gives a much
more basic interface to the firewall. Then on it's Advanced tab I found a
option not available in the Advanced Security interface. I could completely
turn off the firewall on the private NIC.

I makes the firewall settings area of Windows Security turn red and say that
"Windows Firewall is not using the recommended settings", but it then does
exactly what I needed.

"Scott S." wrote:

> I've just setup a new Windows Web Server 2008 machine.
> I installed the OS and joined it to my domain, setup some shared folders and
> copied some files on to it. I had it running really well on the LAN.
> Then I insttaled a 2nd NIC which I connected directly to our external router
> and assigned it a static internet IP.
> I could see the preliminary "under construction" website and things were
> looking good. I then ran a port scan on the external IP and it had lots of
> stuff open.
> I went into "Windows Firewall with Advanced Security" and found LOTS of
> rules to allow "Core Networking" and "File and Printer Sharing". The Core
> networking stuff looked fine, but the "File and Printer Sharing" definitions
> existed 3 times each, one for each profile "Private", "Domain", and "Public".
> So I remeoved the Public versions of each of those.
> The the port scan only showed port 80 open ... again I thought all was well.
> But now I can no longer find that machine or access its shares from the LAN
> NIC!
> But it can get to the other machines on the LAN.
>
> Network and Sharing center shows the LAN NIC and a "Domain network" with
> "Local only" access and the Internet NIC as "Public network" with "Local and
> Internet" access. It also shows Network discovery as "Custom" and File
> sharing a "On".
>
> I tried turing the firewall off for the Private and Domain profiles, but it
> makes no difference. No matter what I try, and I've tried a lot, I get one
> of 3 things:
> 1) Nothing works
> 2) Everything works but leaves lots of open ports it Internet
> 3) Internet access is perfect but inbound LAN access doesn't work, outbound
> ok.
>
> Does anybody know how to get the firewall to either guard just the Internet
> NIC, or how to have different rules for each NIC?
 
"Steve Riley [MSFT]" <steve.riley@microsoft.com> wrote:

> The firewall in Windows Vista and Server 2008 applies a single policy to the
> entire machine. The firewall/IPsec engine thinks at the IP layer, not at the
> NIC layer.

.... and is therefore not the right tool for the anticipated job!

What happened to the good old bindings of network protocols/services to NICs?
A service not bound to a specific NIC or IP address (or simply not run at all)
doesn't need a "firewall" to block unwanted traffic to/from it!

> While I haven't tried this personally, here's a thought. Configure an
> inbound rule that permits all traffic from your internal subnet and another
> rule that permits only HTTP from all addresses.

Does 2008 still bind DirectSMB to all NICs, without any possibility for its
configuration, except to disable it for all NICs through a registry setting?

Stefan

[ full quote removed ]
 
Back
Top