Open inbound port on Windows 7, howto

Let's say you wish to open up a port (i.e., a local, inbound port) for the use of (i.e., to be served by) some program running on your Windows 7 (Home Premium SP1) computer. If installing the program didn't automatically result in opening up that port, here's how to do so.

For security reasons, you should limit the usage of an inbound local port to just the single receiving program. Plus in many cases you should configure that program not to use its standard port number (if possible). Instead, pick a number between 1024 and 49151 (inclusive and random) to be your inbound local port number.

NETWORK LOCATION

First identify what Windows 7 calls your router's 'Network Location'. (Later we'll need this.) Here's how to do it:

1. In Control Panel, click 'Network and Sharing Center'.
2. Under the words 'View your active networks', identify (of your active routers) which is the appropriate one. (Most people only have one active router.)
3. Find and click the text you see, immediately under that active router. Then
4. Observe which Network Location is selected (i.e., surrounded by a dotted box).
5. You should decide (if you haven't already) whether this router is best considered as providing:
   • A Home Network (a private network);
   • A Work Network (in a corporate domain); or
   • A Public Network.
   As it happens, my wireless router is provided by my landlord, so I categorize it as an unsafe Public Network. And that's its Network Location.

NEW FIREWALL RULE

Then set up Windows Firewall to allow your desired inbound connection to the receiving program. (You'll need to be an Administrator for this.) Here's how:

1. In Control Panel, click 'Windows Firewall'.
2. Click 'Advanced Settings'—this takes you to 'Windows Firewall with Advanced Security'.
3. Click 'Inbound Rules'.
4. Click 'New Rule'.
5. Select 'Port' and click 'Next'.
6. Ensure 'TCP' is selected.
7. Ensure 'Specific local ports' is selected.
8. Enter your local inbound port number and click 'Next'.
9. Ensure 'Allow the Connection' is selected, and click 'Next'.
10. For 'When does this rule apply?', ensure that the box by your router's Network Location (see above) is checked (but no other Network Locations are), and click 'Next'.
11. Under the word 'Name', enter the name of the receiving program, then a word (or an abbreviation) indicating (to you) the port's purpose (or functionality), the words 'In' and 'Port', and the port number (all five concatenated together). Click 'Finish'. (Later, this naming scheme will ease finding this rule, if necessary.)
12. Click 'Refresh'.
13. Right-click your new rule and select 'Properties'.
14. Click the 'Advanced' tab.
15. If you need this local inbound port to be accessible merely from other computers within your LAN, then:
    • Under 'Edge traversal', ensure 'Block edge traversal' is selected. This prevents computers outside your LAN from initiating contact with this inbound port on your computer (at least, through this Windows Firewall 'Action: Allow' rule).
    Otherwise, to allow inbound access to this local port from computers outside your LAN:
    • Under 'Edge traversal', unselect 'Block edge traversal'.
16. Click the 'Programs and Services' tab.
17. Select 'This program'.
18. Enter the path to your receiving program and click 'OK'.

Copyright (c) 2015 Mark D. Blackwell.

SSH to guest Debian stretch on a VirtualBox Windows 7 host from LAN, howto

Suppose you have a virtual machine (or VM), in which you have installed a guest operating system: e.g., Debian stretch. And, it's running under a (physical) Windows 7 (Home Premium SP1) host operating system (by means of Oracle's VirtualBox software developed by wholly-owned Innotek GmbH).

You might wish to access that Debian guest from another box on your host's LAN. Here's how to do so with SSH. (If you're on Windows, you can do this IMO most enjoyably from Git Bash or Cygwin, although SSHing more directly from Windows is also possible.)

These instructions should work just as well with Debian's jessie or wheezy releases (in all likelihood). One caveat: Debian normally disallows SSH access as root. Instead, log in as a regular user and do 'sudo' (or 'su') if you wish to be root.

GUEST

In your guest Debian operating system, install the software to accept your inbound SSH connection:

sudo apt-get install openssh-server

HOST

I. For the desired VM, adjust its VirtualBox settings:

1. Choose network type NAT.
2. Forward some inbound port on the host to inbound port 22 on the guest.

Here are the details on how to accomplish this:

1. To provide an additional layer of security, pick a number between 1024 and 49151 (inclusive and random) to be the inbound local port ('host port') on your physical VirtualBox host.
2. In VirtualBox Manager, select your desired VM (it can be running).
3. In the VirtualBox Manager menu, click Machine–Settings–Network.
4. Ensure the 'Adapter 1' tab is selected.
5. Ensure 'Enable Network Adapter' is checked.
6. You'll see the words 'Attached to'. There, select 'NAT'.
7. Ensure that the blue, drop-down arrow by the word 'Advanced' has dropped down to show you the advanced settings.
8. Click the 'Port Forwarding' button.
9. Click the green icon, bearing a plus sign, whose tooltip is 'Adds new port forwarding rule'.
10. Find and select the newly-created row.
11. In the 'Name' column, type 'guestssh'.
12. Ensure 'Protocol' is 'TCP'.
13. In the 'Host Port' column, type your inbound local port.
14. In the 'Guest Port' column, type '22'.

II. Set up Windows Firewall to allow the desired SSH connection, by following the steps in this post to create the new firewall rule. In particular:

• Name it 'VirtualBoxSSHInPort' followed by the port number.
• Under 'Edge traversal', ensure 'Block edge traversal' is selected.
• For the path to the receiving program, use the path to the VirtualBox executable (on your host system).

III. Determine the Internet Protocol (IP) address of your VirtualBox host as viewed by its active router. Here's how:

1. In your VirtualBox host's system tray, click the icon of the active router.
2. Make sure the drop-down arrow by the words 'Wireless Network Connection' is selected, so you see a list of routers.
3. Find the name of your active router in the list.
4. Right-click that name.
5. Click on 'Status'.
6. Click the 'Details' button.
7. In the 'Property' column, find the words 'IPv4 Address'.
8. Read across to the 'Value' column.
9. Note its four, dot-separated numbers. That's the IP address of your VirtualBox host, in the LAN provided by its active router. And for your SSH connection command it will be your target IP address.

In order to allow SSH connections to your VirtualBox guest, the VirtualBox software does Network Address Translation (NAT). So, BTW, your VirtualBox guest will report that you are logged in from some other LAN (with another IP address), not from your active router's LAN. The foreign port number will be different, as well.

IV. Now you can test the availability of your inbound SSH connection.

By default, to log in, SSH detects your local username and tries to use it.

Typical Windows usernames begin with a capital letter, yet typical GNU/Linux usernames begin with a lower-case letter. Therefore SSH's default username likely will fail. So instead (from Windows), the SSH command to access your VirtualBox VM is:

$ ssh {lowercase username}@{target IP address} -p {host port}

Since my name (and Windows username) is Mark, I enter:

$ ssh mark@{target IP address} -p {host port}

Alternatively, instead of logging in, you can run a single command (per these tutorials) and retrieve its output to your local, non-SSH computer—e.g.:

$ ssh mark@{target IP address} -p {host port} cat some-file > here

Or, you can use SCP.

Copyright (c) 2015 Mark D. Blackwell.

Fix spurious XP warning 'firewall not started', howto

Spuriously the last few days, booting my XP computer, I've been warned my firewall is down (in a yellow message bubble). Microsoft's Security Center software (running locally) says, "Microsoft Security Essentials is turned off." The message is not transient, either.

However, real-time protection is running just fine!

Running Microsoft's WMIDiag diagnostic tool didn't help, but web searching the message gave me this procedure (to rebuild a corrupted WMI repository—when prompted, answer yes):

> cd %windir%\system32\wbem
> net stop winmgmt
> dir /ad
> ren Repository Repository.old
> net start winmgmt
> net start "security center"
> firewall.cpl

Then in the General tab, select 'On' to restart Windows Firewall.

If you really want to understand WBEM (mentioned above, Web-Based Enterprise Management, or Microsoft's version: WMI, Windows Management Instrumentation) you can click this humorously easy introduction or web-search it.

Copyright (c) 2013 Mark D. Blackwell.

IPv6 aware, Linux iptables cloud hand-firewall for Debian lenny, howto

Recently, I set up a Linux software firewall by hand for a virtual machine instance running Debian lenny.

Reasonable, now or in the future, is concern about IPv6 traffic. 'Is your firewall aware?' speaks of some danger: 'You might think that [using iptables to] disallow incoming connections to your server on port 22[,] except from a single trusted IP[,] is sufficient to stop connections hitting your machine, but if it is accessible over IPv6 you'll soon discover this isn't the case.'

Many VM providers have not so far (completely) enabled IPv6. However, for anyone who has written their own firewall script, it is a good idea to be prepared beforehand for the event.

The latest VM's, running on recent kernels, can use regular, IPv6-capable firewalls, though they are somewhat hard to find. For instance, the Debian package, 'shorewall6' implements an IPv6 firewall, which 'requires kernel 2.6.24 or later'. Per their FAQ, 'Linux kernels before 2.6.20 didn't support connection tracking for IPv6'.

My particular VM provider allows me only kernel 2.6.18. So, for my old kernel, I developed a fairly simple firewall script, with goals to:

* Restrict sole use of my VM to a list of authorized, remote IP's
* Block tunneling of IPv6 through IPv4, inbound and outbound
* Ease establishing the same rules for IPv6 as for IPv4
* Learn more about iptables firewalls, and
* Learn something about IPv6

This modular firewall script allows full and easy control over IP addresses, protocols and ports. It was derived, with additions, from James Turnbull's 'Bastion Host Iptables Script' (see References).

In order to simplify, it leaves out denial of service (DOS) protection, because that seems unlikely in casual VM use. And, it assumes your VM's IP address is IPv4.

It is impossible accidentally to be locked out, because VM providers naturally offer direct console access, independent of services running on the VM.

The script is available free of charge from my GitHub account.

References:
Bastion Host Iptables Script: Appendix A (or chapter 2) of James Turnbull's book, _Hardening Linux_. For download, see http://www.apress.com.

/etc/default/iptables
/usr/src/linux/Documentation/filesystems/proc.txt
/usr/src/linux/Documentation/networking/ip-sysctl.txt

6in4 - Wikipedia
6to4 - Wikipedia
Adding proper IPv6 to my home network - Martin F. Krafft
After installation - Securing Debian manual - Debian
Anything in anything - Wikipedia
Basic iptables - howtos - 5dollarwhitebox
Basic iptables - Debian/RedHat (see comments) - HowToForge
Collection of basic Linux firewall iptables rules - LinuxConfig
Debian firewall - Debian
Druidic firewall - I)ruid
Easy firewall generator for iptables - Scott Morizot
Entries in /proc/sys/net/ipv6/ - Linux IPv6 howto - TLDP
Firewalling with netfilter/iptables - Shane Tzen
Firewalls - Debian
Firewalls resources - Center for Education and Research in Information Assurance and Security (CERIAS)
Firewalls tag - DebianAdministration
Getting IPv6 connectivity under Linux - Juliusz Chroboczek
Guidelines for firewall vendors regarding MIPv6 traffic - Internet Engineering Task Force
Internet firewalls: frequently asked questions- Paul D. Robertson, et al
The Internet is a dirty, dirty mistress - Dustin D. Trammell
Invisible IPv6 traffic poses serious network threat - Carolyn Duffy Marsan - Network World
Ip6tables: IPv6 firewall for Linux - Vivek Gite
Iptables - Wikipedia
Iptables(8) - Linux man page - Linux die.net
Iptables firewall - Thomas Pircher - TTY1
Iptables firewall script & configuration files for Linux 2.4.x-2.6.x - Bob Sully
Iptables/firewall setup for clusters - Richard Benson - Dixcart
Iptables howto - Community documentation - Ubuntu
Iptables rules - TheGeekStuff
Iptables tag - DebianAdministration
Iptables tutorial - Oskar Andreasson - Frozentux
IPv6 - Wikipedia
IPv6 & Linux howto - Peter Bieringer
IPv6: Configuration for Debian - lenehan
IPv6 firewalling - Sixxs.net
IPv6 firewalls - GetIPv6
IPv6-ready kernel - Linux IPv6 howto - TLDP
IPv6 security considerations and recommendations - Microsoft
IPv6 with Debian - Martin F. Krafft
Is your firewall IPv6 aware? - Debian administration - Steve Kemp
ISATAP - Wikipedia
Learn how to use IPp6tables - TLDP
Links2World howto - Links2World Firewall
Linux 2.4 packet filtering howto - Rusty Russell
Linux iptables avoid IP spoofing & bad addresses attacks - LinuxTitli
Linux iptables block common attacks howto - LinuxTitli
Linux iptables: how to specify a range of IP addresses or ports - Vivek Gite
Linux: IPv6 - Peter Bieringer
Linux IPv6 howto - TLDP
List of IP protocol numbers - Wikipedia
Local area network - Wikipedia
Miredo(8) - Linux man page - Linux die.net
Restoring iptables automatically on boot - Jawnsy - DebianAdministration
Running IPv6 in practice - Gribozavr - DebianAdministration
Securing network access - Securing Debian manual - Debian
Set up Ubuntu server in the cloud howto - dambrosio
The settings statement - Links2world Firewall
Shorewall firewall installation, configuration & understanding - Stephen P. Edwards
System run levels and init.d scripts - Debian
Teredo may render your firewall useless - René Pfeiffer
The Teredo protocol: tunneling past network security & other security implications (PDF) - James Hoagland - Symantec
Teredo tunneling - Wikipedia
Top 5 best Linux firewalls - Ramesh Natarajan - TheGeekStuff
Using iptables to secure your virtual machine - Cloud hosting applications - eApps
Why you want IPv6 - LinuxReviews

Copyright (c) 2011 Mark D. Blackwell.Copyright (c) 2011 Mark D. Blackwell.