6

I need to block all communication (inbound/outbound) from server A to server B (all ports/all protocols). Server A should communicate with every machine except server B. I can't place firewall rules on server B, so I have placed all rules on server A.

I have done the following on server A:

  • First I disabled all default firewall rules (inbound/outbound) on server A. (This is required.)
  • Then I created an inbound rule that allow access from anywhere.
  • Then I created an inbound rule that deny access to server B (all protocols/ports).
  • Then I created an outbound rule that deny access to server B (all protocols/ports).

I have tested that the access is restricted via ping from both servers, and it seemed to work. But then I installed Nmap on server A and scanned server B. My assumption was that Nmap would not be able to scan server B, as the firewall would block it. But Nmap is able to scan open ports of server B. How is that possible?

Windows Server 2008 is installed on both machines.

Anders
  • 64,406
  • 24
  • 178
  • 215
Salman Raza
  • 61
  • 1
  • 2
    I am not fluent on Windows networking, but I suspect your `inbound rule that allow access from anywhere` is the problem. Try removing that rule and test again. – ThoriumBR Oct 16 '18 at 13:39
  • 2
    As an explanation to @ThoriumBR s comment. Firewalls always work top to bottom. If the first rule allows something, the firewall does not look for other rules, but apply the first found rule. [Reference](https://help.f-secure.com/product.html?business/client-security/12.00/en/concept_FE90FBCC9B884D709522C8482EEB8E9B-12.00-en) – Nordlys Jeger Oct 16 '18 at 22:36

1 Answers1

2

As others mentioned it could be related to the ordering of your firewall rules.

Also modern host firewalls also allow for process/program exceptions so it's possible that during the installation of nmap the installer added a process exception for itself to the windows firewall allowing itself to bypass other rules.

neonprimetime security
  • 936
  • 4
  • 15