Travel much? Want more than windows firewall? - Tilted Forum Project Discussion Community

Vigilante · 02-10-2010, 12:54 PM

Actually, it's still windows, but it's the advanced portion of windows firewalling. This portion of windows firewalling is secure enough that it forces chinese hackers to find other ways to attack servers. I know because I see it firsthand on a daily basis at work

With 2 simple rules, you can force your laptop network card to behave just like a consumer router/hardware firewall.

This is under vista, but it should be the same or very similar in XP and win7.

Go to Control Panel > Administrative Tools.
Look for Local Security Policy or Security Configuration Management.
Once in this applet, go to IP Security Policies. There should be no assigned items.
Right click, choose create IP Security Policy. Name this whatever you want. This will be your global ruleset. I named mine "General Security", so will reference that name later.
Once created, go to this item and Add under the Rules tab.

First, the Global Block rule. This rule drops all incoming packets you do not first request.
In the Wizard, click next.
Choose This rule does not specify a tunnel.
Choose All network connections.
Now you are at the IP filter list. Click add.
name this item GLOBAL BLOCK. Click add.
In the IP filter wizard, click next.
In the description field, type DENY INCOMING. Click next.
The Source address is "Any IP address".
The Destination address is "My IP address".
Select Any for protocol type. CLick next, finish.
Click ok, now you are back to the IP filter list.
Click next. Now you are at Filter Action.
Click add, next, and name your filter action DENY.
Click next, choose Block, next, finish.
Now back to filter action list, choose DENY, next, finish.

Next, the Global Allow rule. This allows you to send out on any port, and only allows incoming packets from those outgoing requests. This is a mirror of consumer routers with firewalling.
Under the Rules tab again, click add.
In the Wizard, click next.
Choose This rule does not specify a tunnel.
Choose All network connections.
Now you are at the IP filter list. Click add.
name this item GLOBAL PERMIT. Click add.
In the IP filter wizard, click next.
In the description field, type ALLOW OUTGOING. Click next.
The Source address is "My IP address".
The Destination address is "Any IP adress".
Select Any for protocol type. CLick next, finish.
Click ok, now you are back to the IP filter list.
Click next. Now you are at Filter Action.
Click add, next, and name your filter action ALLOW.
Click next, choose Permit, next, finish.
Now back to filter action list, choose ALLOW, next, finish.

Once this is done, you now have rules in place for allowing all outgoing (and the accompanying replies) and denying any incoming that was not solicited. Now you have to enable it.

Click apply/ok and go back to the Local Security applet. Right click on the rule and choose "Assign".

Now go to properties for "General Security", and click the checkbox for DENY INCOMING, and click apply. Try to browse the web. You should be blocked. Now check ALLOW OUTGOING as well (both checked) and click apply. Now you should be able to browse.

Go to GRC.com and click shields up. Scroll down to the shields up link and have it scan all service ports. You should be green across all ports and pass the test. You are now virtually invisible to all of the world, regardless of how you connect.

As an example, I have temporarily tapped a business wireless connection somewhere close to me and I have a public IP, unfirewalled and directly on the web. I scanned my connection and I am completely invisible to the world.

Happy surfing!

02-10-2010, 12:54 PM	#1 (permalink)
Vigilante Broken Arrow Location: US	Travel much? Want more than windows firewall? Actually, it's still windows, but it's the advanced portion of windows firewalling. This portion of windows firewalling is secure enough that it forces chinese hackers to find other ways to attack servers. I know because I see it firsthand on a daily basis at work With 2 simple rules, you can force your laptop network card to behave just like a consumer router/hardware firewall. This is under vista, but it should be the same or very similar in XP and win7. Go to Control Panel > Administrative Tools. Look for Local Security Policy or Security Configuration Management. Once in this applet, go to IP Security Policies. There should be no assigned items. Right click, choose create IP Security Policy. Name this whatever you want. This will be your global ruleset. I named mine "General Security", so will reference that name later. Once created, go to this item and Add under the Rules tab. First, the Global Block rule. This rule drops all incoming packets you do not first request. In the Wizard, click next. Choose This rule does not specify a tunnel. Choose All network connections. Now you are at the IP filter list. Click add. name this item GLOBAL BLOCK. Click add. In the IP filter wizard, click next. In the description field, type DENY INCOMING. Click next. The Source address is "Any IP address". The Destination address is "My IP address". Select Any for protocol type. CLick next, finish. Click ok, now you are back to the IP filter list. Click next. Now you are at Filter Action. Click add, next, and name your filter action DENY. Click next, choose Block, next, finish. Now back to filter action list, choose DENY, next, finish. Next, the Global Allow rule. This allows you to send out on any port, and only allows incoming packets from those outgoing requests. This is a mirror of consumer routers with firewalling. Under the Rules tab again, click add. In the Wizard, click next. Choose This rule does not specify a tunnel. Choose All network connections. Now you are at the IP filter list. Click add. name this item GLOBAL PERMIT. Click add. In the IP filter wizard, click next. In the description field, type ALLOW OUTGOING. Click next. The Source address is "My IP address". The Destination address is "Any IP adress". Select Any for protocol type. CLick next, finish. Click ok, now you are back to the IP filter list. Click next. Now you are at Filter Action. Click add, next, and name your filter action ALLOW. Click next, choose Permit, next, finish. Now back to filter action list, choose ALLOW, next, finish. Once this is done, you now have rules in place for allowing all outgoing (and the accompanying replies) and denying any incoming that was not solicited. Now you have to enable it. Click apply/ok and go back to the Local Security applet. Right click on the rule and choose "Assign". Now go to properties for "General Security", and click the checkbox for DENY INCOMING, and click apply. Try to browse the web. You should be blocked. Now check ALLOW OUTGOING as well (both checked) and click apply. Now you should be able to browse. Go to GRC.com and click shields up. Scroll down to the shields up link and have it scan all service ports. You should be green across all ports and pass the test. You are now virtually invisible to all of the world, regardless of how you connect. As an example, I have temporarily tapped a business wireless connection somewhere close to me and I have a public IP, unfirewalled and directly on the web. I scanned my connection and I am completely invisible to the world. Happy surfing! __________________ We contend that for a nation to try to tax itself into prosperity is like a man standing in a bucket and trying to lift himself up by the handle. -Winston Churchill