Changing the default filter exceptions to work with dynamically-assigned IP addresses - February 2000

The default filter exceptions allow certain types of traffic inbound to a BorderManager server to allow the VPN, reverse proxy and IP gateway services to function. These exceptions are easily identified in FILTCFG.NLM because they have "Added by BRDCFG to...." in the comment line. The problem with these exceptions is that they specifically call out the public IP address of the BorderManager server - normally a good thing. But when you have a dial-up modem as your public interface that gets a dynamically-assigned IP address from you ISP, the default filter exceptions will fail most of the time since your public IP address will likely change with each dial connection. The same problem could occur using the new DHCP client NLM which allows a NetWare server to be used on a cable modem.

The following example shows how to change one of the filter exceptions to apply to the entire public interface instead of the public IP address. I have tested this change on my home test server when I was using an external modem as a public interface connecting to an ISP with a dynamically-assigned IP address.

The concept is simple - remove the destination IP address restriction the default filter exceptions, and limit both source and destination interfaces to the Public interface. This should allow inbound TCP and UDP response packets to the public interface regardless of the currently-assigned IP address, while still not allowing any packets to flow between public and private interfaces that are not allowed by other filter exceptions.

WARNING! - an unfortunate consequence of this technique is that it will open up your public interface to ALL incoming IP packets!!!

The reason has to do with the default filter exception allowing all IP packets. If you change that filter exception to call out the source and destination interface as PUBLIC, and remove the source IP address, then all packets coming to that interface from the Internet will be assumed to be originating from and destined to that IP address. If someone knows your public IP address, then they can send any kind of packet to your server and it will not be blocked by filtering.

Such packets will NOT be able to route from the public interface to the private interface, nor will internal packets be allowed out. The default filter exceptions still block traffic between interfaces, except that allowed by filter exceptions.

The only way I can think of to provide a bit of security for a public dial-up interface is to remove that exception allowing all IP packets, and replace it with several exceptions allowing only selected types of traffic, such as HTTP, HTTPS, and DNS. Even if you make these exceptions (which should be source and destination interface=<the dial-up interface>) stateful, you will not prevent incoming traffic to the public interface on the designated ports.

So - the technique I show here will work, but it does have its problem.

You have been warned - use at your own risk!
In this example, I show a FILTCFG screen shot for the changes made to the default exception for inbound www-http, which is an exception for allowing HTTP to a reverse proxy web server. Note that with a dynamically-assigned IP address, the only filter exceptions that are likely to be of much use to you are the ones for dynamic/tcp and dynamic/udp. It is hard to set up reverse proxy acceleration or VPN on an address which constantly changes!

customized default filter exception example

Default filter exception for www-http modified to apply to an interface instead of an IP address. Change Destination Interface from All Interfaces to the Public interface, and change the Destination IP Address from an IP address to Any Address.

Repeat for all default filter exceptions.

Return to the Main Page