Windows NT 4.0 Does Not Filter Ports Destined for Remote Segments

ID: Q166371

The information in this article applies to:

Microsoft Windows NT Workstation version 4.0
Microsoft Windows NT Server version 4.0

SUMMARY

Windows NT 4.0 Transmission Control Protocol/Internet Protocol (TCP/IP) advanced security does not allow for the creation of a firewall.

MORE INFORMATION

Although Windows NT 4.0 offers TCP/IP port filtering, port filtering only filters ports destined for the local computer that is entering the card that has restricted ports. If Internet Protocol (IP) Forwarding is enabled, the TCP/IP packets are forwarded as needed, and then filtered (if enabled) at the receiving end.

For example:

Assume you have 3 computers, A, B, and C, running FTP Server and computer B is multihomed, connecting the other 2 machines.

If computer B is configured to permit only ports TCP 139, and UDP 137 & 138 (NetBIOS), then it would seem that none of the clients could FTP to each other. However, in this example, A and C can FTP to each other, but neither computer can FTP to B. Windows NT by itself is not designed to be used as a firewall, however, additional software (from Microsoft and other vendors) can be used to add this functionality.

Additional query words: howto prodnt router route forward pass thru through proxy


Keywords          : ntsecurity winnt ntprotocol 
Version           : 1.00
Platform          : winnt 
Issue type        : kbinfo

Last Reviewed: August 12, 1999