How to Configure Input Filters for Services That Run Behind Network Address Translation

This article provides filter setup information which may be used to remove unwanted traffic for a network card exposed to the Internet on a Windows 2000-based computer.

Windows contains Network Address Translation (NAT) which can be used to enable individuals and businesses to connect their Local Area Networks (LANs) to the Internet through a single Internet connection and Internet Protocol (IP) address. With NAT you can use unregistered IP addresses for the internal LAN, but if you use NAT alone, it does not prevent a determined hacker from disrupting the flow of traffic from the Windows-based computer.

Windows Routing and Remote Access Service (RRAS) provides filters which can be used to configure a server to control data that is sent and received, but this product is not marketed as a firewall. Microsoft in no way implies or guarantees that the sole use of this product can prevent determined individuals from gaining access to a network and using it in an inappropriate manner.

IMPORTANT: For sites that need a high level of security, a true firewall product should be purchased and configured to protect the network.

The input filters are set up through the RRAS console. In the RRAS console, click General under IP Routing. In the right window, double-click the external card and click Input Filters. In the Filter window, there are two options. You should select one:

• Receive all packets except those that meet the criteria below
• Drop all packets except those that meet the criteria below

NOTE: The subnet mask for all of these filters is set to 0.0.0.0.

Port Configurations for Input Filters

Point-to-Point Tunneling Protocol (PPTP) Settings

Use the following configuration if you have clients on the internal LAN that plan to connect to a PPTP server that resides on the Internet: CAUTION: Never establish a PPTP connection to a corporate network from a router that runs NAT or you may open potential security holes in the corporate network.

Domain Name System (DNS) Settings

Use the following configuration if the server and internal clients require DNS resolution to an external DNS server located on the Internet: NOTE: If you run your own Internet DNS server, use the following configuration:

Client External Web Access

Use the following configuration if you want to enable internal clients to connect to Web sites on the Internet:

Web Access

Use the following configuration if you are running a Web server on the NAT computer and want it to be accessible to Internet users:

Client External File Transfer Protocol (FTP) Access

Use the following configuration if you want to enable internal clients to connect to FTP servers on the Internet:

FTP Server Access

Use the following configuration if you run a FTP server on the NAT computer and want it to be accessible to Internet users:

POP 3

Open the following port if you run an Internet Mail server and you want to give mail clients POP 3 access:

Simple Mail Transfer Protocol (SMTP)

Open the following port if you have an Internet Mail server on the NAT computer which distributes SMTP mail: IMPORTANT: The information in this article is not meant to be designated as a standard to follow in all instances. It is a guide which lists the ports and configurations of some of the more commonly used programs.