MORE INFORMATION
Windows contains Network Address Translation (NAT) which can be used to enable individuals and businesses to connect their Local Area Networks (LANs) to the Internet through a single Internet connection and Internet Protocol (IP) address. With NAT you can use unregistered IP addresses for the internal LAN, but if you use NAT alone, it does not prevent a determined hacker from disrupting the flow of traffic from the Windows-based computer.
Windows Routing and Remote Access Service (RRAS) provides filters which can be used to configure a server to control data that is sent and received, but this product is not marketed as a firewall. Microsoft in no way implies or guarantees that the sole use of this product can prevent determined individuals from gaining access to a network and using it in an inappropriate manner.
IMPORTANT: For sites that need a high level of security, a true firewall product should be purchased and configured to protect the network.
The input filters are set up through the RRAS console. In the RRAS console, click
General under IP Routing. In the right window, double-click the external card and click
Input Filters. In the Filter window, there are two options. You should select one:
- Receive all packets except those that meet the criteria below
- Drop all packets except those that meet the criteria below
NOTE: The subnet mask for all of these filters is set to 0.0.0.0.
Port Configurations for Input Filters
Point-to-Point Tunneling Protocol (PPTP) Settings
Use the following configuration if you have clients on the internal LAN that plan to connect to a PPTP server that resides on the Internet:
Source 0.0.0.0 to Protocol TCP Source Port 1723
Source 0.0.0.0 to Protocol Other Protocol Number 47
: Never establish a PPTP connection to a corporate network from a router that runs NAT or you may open potential security holes in the corporate network.
Domain Name System (DNS) Settings
Use the following configuration if the server and internal clients require DNS resolution to an external DNS server located on the Internet:
Source 0.0.0.0 to Protocol TCP Source Port 53
Source 0.0.0.0 to Protocol UDP Source Port 53
: If you run your own Internet DNS server, use the following configuration:
Source 0.0.0.0 to Protocol TCP Destination Port 53
Source 0.0.0.0 to Protocol UDP Destination Port 53
Client External Web Access
Use the following configuration if you want to enable internal clients to connect to Web sites on the Internet:
Source 0.0.0.0 to Protocol TCP Source Port 80
Web Access
Use the following configuration if you are running a Web server on the NAT computer and want it to be accessible to Internet users:
Source 0.0.0.0 to Protocol TCP Destination Port 80
Client External File Transfer Protocol (FTP) Access
Use the following configuration if you want to enable internal clients to connect to FTP servers on the Internet:
Source 0.0.0.0 Protocol TCP Source Port 21
Source 0.0.0.0 Protocol TCP Source Port 20
FTP Server Access
Use the following configuration if you run a FTP server on the NAT computer and want it to be accessible to Internet users:
Source 0.0.0.0 Protocol TCP Destination Port 21
Source 0.0.0.0 Protocol TCP Destination Port 20
POP 3
Open the following port if you run an Internet Mail server and you want to give mail clients POP 3 access:
Source 0.0.0.0 Protocol TCP Destination Port 110
Simple Mail Transfer Protocol (SMTP)
Open the following port if you have an Internet Mail server on the NAT computer which distributes SMTP mail:
Source 0.0.0.0 Protocol TCP Destination Port 25
Source 0.0.0.0 Protocol TCP Source Port 25
: The information in this article is not meant to be designated as a standard to follow in all instances. It is a guide which lists the ports and configurations of some of the more commonly used programs.