TCP/IP filtering in Windows (1)

In a complete network, people usually set packet filtering rules in routers or firewalls to protect Intranet security. But for an Open Server or a home PC, we usually set packet filtering rules at the operating system level to protect our system. Windows's "TCP/IP filtering" function is widely used because of its simple configuration and easy management.
In a Web project implemented for a company, because the company does not have any network security equipment, therefore, we enable the "TCP/IP filter" function on the Web server to ensure the security of the server. At the same time, to prevent users from bringing viruses to the server when uploading webpages, we have installed the KILL anti-virus product on our Web server, KILL security solution. Figure 1 shows the configuration management interface for TCP/IP filtering.

Figure 1 TCP/IP Filtering

"TCP/IP filtering" only affects inbound traffic and has no restrictions on outbound traffic. At the TCP port, we open two ports: Port 80 for external users to access websites on the Web server, and port 21 for external users to upload webpages to the Web server. UDP port is set to only allow but no port is added, which means that UDP is disabled.
The downloading of the KILL pattern is FTP: // ftp.kill.com.cn). In actual use, Kill reports an error. You cannot download the pattern to upgrade the virus database.
First, because the KILL signature is downloaded using the FTP and domain name method, and the UDP protocol used for domain name resolution, the UDP protocol is disabled in the above configuration. The DNS server uses UDP port 53 to handle external queries. The "UDP port" column should be set to 53. However, when you want to query the external DNS server, send the data packet to the UDP port 53 of the external DNS server and receive the returned data packet using the UDP port above port 1025. However, UDP is different from TCP and there is no ACK flag, windows cannot determine whether the UDP packet is a connection request or a returned packet. If you can specify the permitted port range, you only need to specify a port above 1025. Unfortunately, in "TCP/IP filtering", only one port can be specified. In order to run DNS resolution properly on Windows, you have to change the "UDP port" column to "allow all", or do not pass DNS resolution. When downloading the signature, you can directly use the IP address.