> -----Original Message----- > From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx > [mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Zacky > Sent: Wednesday, October 12, 2005 1:04 PM > To: netfilter@xxxxxxxxxxxxxxxxxxx > Subject: Advice on setting up a firewall for a Windows Domain > Controller > > Hello everyone, > > I was asked to set up a firewall for a Win2K domain > controller, which also acts as a print server, web server and > SQL server... Last year, I was assigned a similar project but > never got around to work on it. > However, I did some research on the topic and I was directed > to this KB article that lists the ports I have to open for > the DC to work behind the firewall: > > http://support.microsoft.com/kb/179442/ > > While I have set up firewalls in the past, I'm not very > familiar with Windows networks and I would like to hear your > opinions on how to go about setting up the firewall. > > Here's some info about the network. The DC and all the 25 > Windows XP desktops that connect to the DC have public IP > addresses, but only the DC has a FQDN. The requirement is to > keep the desktops' public IP addresses and just move the DC > behind the firewall. > > Again, any tips will be greatly appreciated. > Thanks, > -G I'm with rob0 on this one - this really sounsd like a school assignment. However, having been the lab assistant for a network security class my last two years of college, I am more sympathetic if that is the case. =) Let's pretend that your requirements are in stone and you will fail if you don't meet them. First I must add to the existing comments that this is the second dumbest network setup ever. (The dumbest setup ever, period, would be removing the firewall and letting the DC have direct access to the internet.) Your machines will get owned in minutes if they aren't fully patched (8 new MS patches came out two days ago). OK, rant over. You have a two-legged firewall setup which I will not even attempt to do in pretty ASCII since I'm forced to use Outlook 2003 where I work. Ugly ASCII will have to do: Internet | Gateway | Switch -- FW -- DC | Future Zombie Machines You've got a few options: (1) Turn the firewall into a bridge (2) Put the DC on its own subnet and use routing (3) Put the DC on its own subnet and use NAT (4) Something complicated My vote is for #2, and make the firewall the DHCP server since DHCP and routing gets annoying fast. You'll need to open all the appropriate ports in FORWARD inbound to your DC, as well as outbound to the Internet from your DC. Your firewall's Internet-facing NIC should be in the same subnet as the gateway, and the DC-facing NIC should be in the DC's subnet, etc... That's my two cents. Good luck with it. Derick Anderson
