Saturday, January 20, 2007

Firewalling Windows Servers with IPFW

For some time I spent thinking of an IPTable like firewall for host protection on windows servers and I didn't know whether there is one available until I gave it a try and surprisingly found WIPFW. I find it very cool to have a unix based firewall on my windows boxes!
WIPFW is the Windows version of FreeBSD IPFW firewal and It can be used on any version of windows, starting with windows 2000.
It gives a lot of flexibility in the way rules can be applied to different sort of traffic and it can also keep track of the states of packets as well. There are a lot of great features that comes with it and it can be checked through its online documentation. Any IPTable administrator can figure it out quickly.

Some missing features in its current release(0.2.8) are as follow:
  • Unable to change packet contents
  • No traffic shaping capabilities
  • Does not support SNAT and DNAT
Check here for documentation and product download:
WIPFW: Windows Operable Version of BSD IPFW

Check also here for more info on WIPFW:
Jameser's Tech Tips: Stateful Packet Filter for Windows

Learn more about the original IPFW:
ONLamp - BSD Firewalls: IPFW
IPFW How-To

Labels: , , ,

posted by Saeed Pazoki @ 8:30 PM   0 comments

Friday, January 05, 2007

GRE Tunnel Problem

I have got two GRE tunnels from NOC to two remote sites and since I set these tunnels up, I got problem with one of the management softwares. It happens that it stops responding and generates "Time Out" messages when it is left idle for about 10 minutes and after 2 or 3 unsuccessful tries it comes back to life. All other connections (RDP, FTP, SSH) through these tunnels function smoothly at any given time but our NGN department engineers are getting annoyed once a customer calls, since they need to send their commands a couple of times until their software responds!
One GRE tunnel is setup between two Huawei Eudemon firewalls and another between a Huawei Access Router and an Eudemon firewall.
My studies show that this behaviour is due to over sized packets as a result of added tunneling headers.
I will be posting more on this issue once any progress made.

Labels: ,

posted by Saeed Pazoki @ 4:22 PM   0 comments