none
How to create a firewall rule in Server 2008

    Question

  • Hello

    I have a small T300 server with the following installed:

    • windows 2008 std server x64
    • 2 nic's
    • DHCP
    • DNS
    • AD
    • 16 port switch on LAN side
    • access to internet on WAN side
    • Several XP Pro clients on LAN

    The Problem: I am trying to prevent one of the clients from gaining access to the www, but it needs to have full access to the LAN resources ie. server for file storage, printing etc.

    Within DHCP I have assigned an address to the client in question (192.168.2.100).

    Any guidance in setting up a firewall rule to accomplish goal would be appreciated.

    With thanks

    Peter
    Thursday, April 30, 2009 1:23 PM

Answers

  • Microsoft's proxy server is Internet Security & Acceleration Server (ISA) and it is not included with Windows Server. It is a pay product. More importantly, ISA is an enterprise-class firewall. There are some free proxy server products available.

    You don't necessarily need a proxy server, but you absolutely should have a firewall between the internet and your LAN. The reason I mentioned proxy server is that many people use that for their internet traffic. You mention that you have a 16 port switch that your computers and internet connection are connected to. Is the switch actually a firewall/router? If so, that would be your internet router and you can use that IP address for the outbound rules (rules on the client) mentioned above. If you don't have a firewall, your internet modem (device that is plugged into the WAN side) would be your internet router. You would use that IP address in the outbound rules. If you run ipconfig.exe from one of your client computers, the IP address of the "Default Gateway" is your router that gets you to the internet.

    Yes, it does make sense to have the rules on a server but that may be a little more involved than what you think. You are talking about configuring a full-blown internet firewall/router. Windows Server 2008 by itself isn't really ideal for that, but I suppose it can be done using Routing and Remote Access along with the Windows Firewall. There is much involved with setting that up and it isn't really for a novice admin. I'm sure Microsoft provides good documentation for configuring Routing and Remote Access. If that is the route you wish to go, I would suggest reading up.

    Thursday, April 30, 2009 7:48 PM

All replies

  • This rule will block WWW (TCP 80) access for the IP address 192.168.2.100.

    Run this from cmd.exe (you can modify the name "Deny WWW for ClientName" to your preference):

    netsh advfirewall firewall add rule name = "Deny  WWW for ClientName" proto = TCP dir = in localport = 80 action = block en = yes profile = any remoteip = 192.168.2.100
    Thursday, April 30, 2009 4:47 PM
  • thank-you Brandon

    As a matter of interest if I run this command  from netsh will I see a resulting rule appear in the outbound rule window in the GUI

    P
    Thursday, April 30, 2009 4:54 PM
  • Sorry, I may have misinterpreted your question. Are you asking to block web to your Windows 2008 Server for a specific client? Or, do you want to block all web access from a specific client. The rule above is an inbound blocking rule that you would place on your web server.

    And yes, rules created with netsh will show up in the firewall GUI.
    Thursday, April 30, 2009 5:29 PM
  • The misunderstanding is probably on my part hence the logon name, what I am looking for is below


    192.168.2.100-------Server--------x-------Internet
    192.168.2.101-------server-----------------internet
    .
    .
    .
    .
    .
    .


    P
    Thursday, April 30, 2009 5:35 PM
  • So you want to block all internet from 192.168.2.100, correct? That is a little bit trickier. You have several options, depending on what suits your needs:

    Block all outbound traffic, including internet, to a specific internet router/proxy server (where 10.1.1.1 is the IP of the router/proxy):
    netsh advfirewall firewall add rule name = "Block  Internet"  proto = TCP dir = out localport = any  action = block en = yes profile = any remoteip = 10.1.1.1

    Block only TCP 80 and 443 (common www ports) to a specific internet router/proxy server (where 10.1.1.1 is the IP of the router/proxy):
    netsh advfirewall firewall add rule name = "Block  Internet"  proto = TCP dir = out localport = any  action = block en = yes profile = any remoteip = 10.1.1.1 remoteport = 80,443

    Block only TCP 80 and 443 (common www ports) to any server (internet or intranet):
    netsh advfirewall firewall add rule name = "Block  all WWW"  proto = TCP dir = out localport = any  action = block en = yes profile = any remoteip = any remoteport = 80,443

    Block Internet Explorer from everything:
    netsh advfirewall firewall add rule name = "Block Internet Explorer" dir = out proto = any program = "C:\Program Files\Internet Explorer\iexplore.exe" action = block en = yes profile = any remoteip = any

    NOTE: The program exception route would require a rule for every progam on the computer than can be used to access the internet.
    Thursday, April 30, 2009 5:55 PM
  • Sorry to be so slow, do you not have to specify the ip of the client that you want to block.
    Thursday, April 30, 2009 6:09 PM
  • Those are outbound rules that you would place on the client itself. You don't need to specify the client's address in the rule, although you can if you want to. When you don't specify the address, the rule applies to any address on the client. The rules stop the client from connecting outbound to the parameters in the rule.

    I didn't really understand your diagram. Is the server in "192.168.2.100-------Server--------x-------Internet" a proxy server? If so, use the second rule down in my previous post and replace the IP and ports with the address and port(s) of your proxy server. Where are you trying to block the client at? On the client itself or on a proxy server?

    If the server is a proxy server and you want to place the rule there, rather than on the client, use this rule where 8080 is the port of your proxy server (inbound rule):
    netsh advfirewall firewall add rule name = "Block  Internet for client 192.168.2.100"  proto = TCP dir = in localport = 8080  action = block en = yes profile = any remoteip = 192.168.2.100 remoteport = any

    Hope this helps.
    Thursday, April 30, 2009 6:27 PM
  • I believe that I follow your logic, I need to have a proxy setup, is this part of 2008 server, if so what is it called.

    I think that it makes most sense to have the rules on the server from an admin point of view,

    thanks for your patience


    Thursday, April 30, 2009 6:48 PM
  • Microsoft's proxy server is Internet Security & Acceleration Server (ISA) and it is not included with Windows Server. It is a pay product. More importantly, ISA is an enterprise-class firewall. There are some free proxy server products available.

    You don't necessarily need a proxy server, but you absolutely should have a firewall between the internet and your LAN. The reason I mentioned proxy server is that many people use that for their internet traffic. You mention that you have a 16 port switch that your computers and internet connection are connected to. Is the switch actually a firewall/router? If so, that would be your internet router and you can use that IP address for the outbound rules (rules on the client) mentioned above. If you don't have a firewall, your internet modem (device that is plugged into the WAN side) would be your internet router. You would use that IP address in the outbound rules. If you run ipconfig.exe from one of your client computers, the IP address of the "Default Gateway" is your router that gets you to the internet.

    Yes, it does make sense to have the rules on a server but that may be a little more involved than what you think. You are talking about configuring a full-blown internet firewall/router. Windows Server 2008 by itself isn't really ideal for that, but I suppose it can be done using Routing and Remote Access along with the Windows Firewall. There is much involved with setting that up and it isn't really for a novice admin. I'm sure Microsoft provides good documentation for configuring Routing and Remote Access. If that is the route you wish to go, I would suggest reading up.

    Thursday, April 30, 2009 7:48 PM