Jameser's Tech Tips

Wednesday, July 26, 2006

Tip #29: Stateful Packet Filter Firewall for Windows

Today's tip is on replacing the Windows firewall with a kernel mode, packet-filtering firewall... The firewall we'll be using is called WIPFW, and is a Win32 port of FreeBSD's formidable IPFW firewall...

WIPFW will allow us to create detailed firewall rules which determine whether packets are dropped or accepted, as well as optionally logged... These rules can be applied manually while the firewall is running, or configured in the application's configuration file... We'll take a look at both approaches in a moment...

While WIPFW has almost all of FreeBSD's IPFW functionality, it cannot perform traffic shaping or packet redirection yet... It does provide stateful inspection however, and will create dynamic rules on the fly to allow packets through where the original rule specified to "keep state" or "limit"...

WIPFW may not be for everyone due to its rather complicated configuration, but when properly setup can provide a very secure host... The default wipfw.conf provides a basic stateful-inspection firewall configuration, and will log dropped packets which helps troubleshooting which ports you need to open... The generated log files are stored in C:\Windows\security\logs...

To install WIPFW, first download the stable zip from here, and extract to a location where you'd like to permanently keep the configuration and utility files... We'll use C:\Wipfw for the sake of this demonstration...

If you are installing on a remote host, it is important to modify the wipfw.conf prior to installation to allow remote access, otherwise you'll end up needing console access to correct it... It is probably best to configure and explore on a local machine, to ensure the rules are correct before you implement it remotely...

After you've unzipped the files, and modified wipfw.conf if necessary, you can install the service by opening a command prompt, changing to your installation directory, and typing install.cmd... This will install and start the service using the configuration supplied in the C:\Wipfw\wipfw.conf file...

To add temporary rules on the fly, use the ipfw add command from the command line, passing the action, protocol, source address, optional port, direction, destination port, optional port, and any options... The keywords "any" and "me" can be used to simplify making rules... For example to block access to your machine from a malicious IP address, you could add the following rule:

ipfw add deny ip from 86.7.5.309 to me

Or to allow access to your HTTP port from a particular subnet, you could use:

ipfw add allow tcp from 192.168.0.0/24 to me 80

To make any of these rules permanent, simply add the rule to your wipfw.conf file with a rule number and they will take effect at the next reboot... You can also force the loading of the new configuration by launching config.cmd from the C:\Wipfw directory...

For additional information on configuration, you can refer to the documentation, or better yet consult the FreeBSD docs on IPFW configuration...

Please leave a comment if you have any questions... Check back tomorrow for new tips...

1 Comments:

  • At 12/11/2009 3:56 PM, Blogger shlomi said…

    do you know how to build the project without error, i try to build it but i get security error about the function

     

Post a Comment

<< Home