Configuring router ACLs and firewall policy
Unlike most Web servers, I need mine open to a select set of single and range IP addresses, on port 80 only. When these addresses are entered into the firewall and the IIS 5.0 IP address and domain name restrictions (where all ip's are DENIED ACCESS except those listed) then my users are not able to get to the Web site. However if the Web site is open to all traffic all ports at the firewall, and restricted at the IIS server in the same manner as above, then they are able to get to the Web site. Any thoughts as to why this could be happening?
The only conclusion that I can come to is that some sort of verification is taking place between my server and the requesting IP that is occurring on something other than port 80. Does this make sense?
First, if your Web servers are accessed by a "set of single and range IP addresses" only - then consider changing the default port of 80 to a unique port (see http://www.iana.org/assignments/port-numbers
) at a minimum. Second, properly configure your router ACLs and firewall policy to only allow (above) IP's through. Your Web servers should not be running FTP server, Telnet server, SMTP server, etc. Third, make sure that TCP/IP filtering is properly set on your Web servers. The culprit exists in an improper 1) firewall rule, 2) Web server IP filtering, or 3) static translation statement.
This was first published in May 2003