Friday, June 12, 2009

A hand made freeware windows firewall

I have two windows servers that shouldn't talk to each other. How do I make sure they don't?
Right, why not use some firewall? well, because I can't just install any software on these servers, company regulations, and windows' built-in firewall suck big time (only inbound, have to configure ALL exceptions).
On Linux this is quite a trivial IPTables command. Run the following on server#1:
iptables -I INPUT -s server#2 -j DROP
iptables -I OUTPUT -d server#2 -j DROP

Unfortunately there's nothing like IPTables built into windows.
Driving inspired from the IPTables concept of routing the packets to the trashcan ("-j drop"), I realized that much same could be implemented on windows by twicking the OS routing table causing it to deliver packets for server#2 to no where.
Here's my hand tailored, freeware, no software required, windows firewall that sends packets to a vacation in /dev/null:
route ADD 1.1.1.2 MASK 255.255.255.255 1.1.1.0

Where:
Server#1 IP is 1.1.1.1
Server#2 IP is 1.1.1.2
1.1.1.0 isn't assigned to anyone - our /dev/null for the occasion.

Additional blabber:
If you add the route instruction only to server#1, but not to server#2, then server#2 can still send IP packets to server#1, while this breaks TCP completely, server#2 could still send UDP datagrams to server#1.
Make sure the servers are configured with static IP, otherwise your solution would break over time. In order to make the route persistent across server reboots, add the -p flag.
[caption id="attachment_132" align="alignnone" width="514" caption="wrong way! Packet! turn back now!"]wrong way! Packet! turn back now![/caption]

My first question at Stackoverflow.com

Could stackoverflow.com, or any other programming Q&A service, be the alternative for a serious think process, in which you just put in your question and immediately granted with the perfect answer? Hopefully it is.


To test that I've submitted the following "how to regulate the amount of logging printouts" question. Let's wait, pray, and see if I get any smart/unpredicted answer from any of the 6 billion inhabitant of planet Earth.[caption id="attachment_121" align="alignnone" width="376" caption="question-mark"]question-mark[/caption]