So I got a chance to play with Vista and its firewall today at work and I have to admit, it had me a little befuddled. As a brief background, I'll say most of my firewalling experience has been either using OpenBSD pf, ipchains/iptables, or ipfw. So I was happy to see that Vista brought with it a stateful packet inspecting firewall to replace the joke that was in XP.
Unfortunately, Microsoft assumes a lot of things and abstracts a lot from the user. The best example of this is with the network profiles. The network profile is straight forward; it allows you to create a set of networking configuration info for a specific network or scenario in a network. By default, they provide a "public" (most restrictive), "private" (less restrictive), and "domain" (domain specified) profiles. You can create your own profiles as well. This is a nice addition, but really makes the firewall configuration more difficult if you don't agree with Microsoft's rulesets provided with their profiles. The simple control panel interface doesn't help with this at all either.
For example, lets say your computer is on a large private network (using some IANA reserved space, like 10.x.x.x) and your computer is not part of a domain. Now, lets say you want to allow remote administration via RPC either for vulnerability scanning, or your own remote control from other points on the network. You'll find that even when you enable "Remote Administration" in the Vista control panel, that unless you are on the local network segment, you won't be able to access those ports.
What makes it that much more irritating is that the dummy firewall control panel doesn't really provide you with any useful information about how its restricting or not restricting access to specific services. In order to find out what's really happening, you have to either find the Advanced Firewall adminstrator tool, or you have to use the netsh command line tool to inspect the firewall rules directly.
After doing this, I realized that by default, the applications listed in the dummy control panel interface are nothing more than their ruleset "Groupings" and within each of these groupings are one or more rules which may be configured differently for each default network profile. So, going back to our Remote Administration via RPC example, I noticed that for the "Remote Administration" grouping, there were two rulesets: the first applied to public and private network profiles and inbound connections were only allowed from LocalSubnet. The second profile applid to the domain network profile and allowed inbound connections from Any. Even though both rules were enabled, only the former was being honored since the computer was using the private network profile.
This is fine once you realize it, but its not very obvious from the perspective of a new novice or power user of Vista. There's no link in the Firewall control panel to the Advanced Firewall interface, and the command line interface is one of those things that most Windows users (even the power users) likely won't use. Hell, even for a nix junkie like me, I found netsh to be a horrible pain to use.
So for what its worth, if you're using one of Microsoft's default profiles and/or you've enabled an application to accept inbound connections via the firewall control panel, but you can't connect to it from computers outside your local subnet, you probably need to pull up either netsh or the Advanced Firewall Configuration interface to tweak or add new rules to do what you want.
Tuesday, February 20, 2007
Monday, February 19, 2007
This and that
David reminded me today that I hadn't update this trash heap that is my blog, so I figured I'd take a go at it since I have the day off. So for starters, I'd like to say hello to everyone out in the midwest, and I'd like you to know that its supposed to be sunny and 62F here today.
Anyways, I've got my birthday off from work for the first time since I was in grade school. It seems that the last time I got President's day off was also that same day; fourth grade, I imagine. So, today I'm spending it relaxing, chatting, and maybe a little coding. I'm brushing up on my Python threads for a new multi-threaded web spider I'm writing. I'll try to put up a quick tutorial on Python threads soon.
Also, Talitha and I have decided that we will be moving into the City (San Francisco) after our lease is up. We're interested in giving city life the go around, and with my job going well, we won't likely be leaving the bay area after one year.
So, stay tuned as we go on our apartment/cardboard box hunt.
Anyways, I've got my birthday off from work for the first time since I was in grade school. It seems that the last time I got President's day off was also that same day; fourth grade, I imagine. So, today I'm spending it relaxing, chatting, and maybe a little coding. I'm brushing up on my Python threads for a new multi-threaded web spider I'm writing. I'll try to put up a quick tutorial on Python threads soon.
Also, Talitha and I have decided that we will be moving into the City (San Francisco) after our lease is up. We're interested in giving city life the go around, and with my job going well, we won't likely be leaving the bay area after one year.
So, stay tuned as we go on our apartment/cardboard box hunt.
Subscribe to:
Comments (Atom)