Builtin Firewall Blocks Localhost Access (Even Open Ports)

[Michael Kennedy [UB]]

Hi,

I am configuring a Windows 2003 Standard Edition Server and for reasons not
worth going into we have to use some sort of software firewall. Currently
this is a combination of the built-in Windows firewall (from the advance
properties of the network connection) and IPSec to further filter the access
to the open ports in the firewall.

But there is a weird problem. I keep getting messages like this in my
firewall log:

2004-06-29 14:54:47 DROP TCP 127.0.0.1 192.168.0.64 3666 4026 40 R
3232056443 3232056443 0 - - -
2004-06-29 14:54:50 DROP TCP 127.0.0.1 192.168.0.64 3666 4026 40 R
3232056443 3232056443 0 - - -
2004-06-29 14:54:56 DROP TCP 127.0.0.1 192.168.0.64 3666 4026 40 R
3232056443 3232056443 0 - - -
2004-06-29 14:55:02 DROP TCP 127.0.0.1 192.168.0.64 3628 4026 40 R
3216250718 3216250718 0 - - -

where 192.168.0.64 has been substituted for the actual IP of the server.
First of all, why is the firewall blocking access to localhost? Secondly,
even after I have opened those ports in the firewall, they still show up as
blocked in the firewall log for localhost (127.0.0.1).

Please help if you have any ideas or comments.

Also, I am trying to get NetBIOS file sharing to work for this server
configuration. I have opened the ports that I can determine are necessary by
looking at the blocked traffic in the firewall log. And this works OK for a
short time, then the connection to the file shares seem to hang for a long
time (1-5 minutes?) for no apparent reason. Anyone else got this to work?

Thanks in advance,
Michael

[S. Pidgorny]

Inline:

"Michael Kennedy [UB]" <mkennedy@REMOVETHIS.unitedbinary.com> wrote in
message news:ORkxzTiXEHA.3120@TK2MSFTNGP12.phx.gbl...

> I am configuring a Windows 2003 Standard Edition Server and for reasons

not

> worth going into we have to use some sort of software firewall. Currently
> this is a combination of the built-in Windows firewall (from the advance
> properties of the network connection) and IPSec to further filter the

access

> to the open ports in the firewall.

Using both? unnecessary overkill.

> But there is a weird problem. I keep getting messages like this in my
> firewall log:

> 2004-06-29 14:54:56 DROP TCP 127.0.0.1 192.168.0.64 3666 4026 40 R
> 3232056443 3232056443 0 - - -
> 2004-06-29 14:55:02 DROP TCP 127.0.0.1 192.168.0.64 3628 4026 40 R
> 3216250718 3216250718 0 - - -
>
> where 192.168.0.64 has been substituted for the actual IP of the server.
> First of all, why is the firewall blocking access to localhost?

If i get the log format right, the 127.0.0.1 is the source, not destination.
Whatever the source is, the firewall blocks traffic to the external Ip, as
it should do. The source IP might be spoofed, ot you have a process on your
computer trying to access port 4026 on it - see if there is something
listening on that port.

> Secondly,
> even after I have opened those ports in the firewall, they still show up

as

> blocked in the firewall log for localhost (127.0.0.1).

Meaning port 4026? Anyway, you should NOT open ports unless you know what
kind of traffic is expected to come.

> Please help if you have any ideas or comments.
>
> Also, I am trying to get NetBIOS file sharing to work for this server
> configuration. I have opened the ports that I can determine are necessary

by

> looking at the blocked traffic in the firewall log. And this works OK for

a

> short time, then the connection to the file shares seem to hang for a long
> time (1-5 minutes?) for no apparent reason. Anyone else got this to work?

Yes, I did. The delay is because of NetBIOS name resolution, more
precisely - lack thereof. Use fully-qualified domain name (like
mycomputer.mydomain.net) to map to the resources, make sure DNS is in place.
More importantly, use CIFS direct hosting (port 445) for file sharing - more
secure and faster: you don't have to use NetBIOS nowadays.

--
Svyatoslav Pidgorny, MVP, MCSE
-= F1 is the key =-