Would this be a firewall?

[tampabay420]

Are the any products for M$ Windows Platforms that can drop/refuse packets that meet a certain requirements?

AnalogX offers a nice Packet Monitor, but can not drop/refuse the packets- only log them... If this doesn’t make any sense I will try to rephrase my question later…

I'd like to run the packets through some rules based on Packet Header Contents and Body Contents?

Oh yeah- I’m on Win2k...

[Tiger Shark]

Tampa: Oh do I hate using that name this week.....Gooooo RAIDERS......

You could use the win32 port of snort and then use it's ability to close the connection. It sends a reset to the sending IP I believe. Then you can write any rule you like to block the packets.

[thehorse13]

There are several types of firewalls. One type is a packet filtering firewall. Cisco makes one called "PIX". Now, just because a device does packet filtering, does not nesessarily mean it's a firewall. Routers, for example, are capable of doing packet filtering.

Simply monitoring packets would be considered sniffing, not packet filtering.


PS.

GO RAIDERS
(been a fan since 1981)

[slarty]

You could use the win32 port of snort and then use it's ability to close the connection. It sends a reset to the sending IP I believe.

Yes, but that would not be very secure:

1. This only works for TCP. connectionless protocols are entirely unaffected by "sending a reset". Reset is a TCP flag which does not apply to other IP protocols.
2. You are relying on the reset to get to the attacker before they can do any damage, which might not happen in the case of a really quick attack, for instance a DoS
3. A cunning hacker (who knew what you're doing) could set up their own firewall to filter out your reset packets. Sure, it would prevent genuine resets reaching them, but they would be able to establish a connection anyway.
4. It would be fairly easy to spot, because your RSTs would appear in addition to the real responses. If you connected to a closed port, you'd get TWO resets, which would never normally happen. This would give the game away.

So I don't think it's a very good approach.

There is a vague possibilty that some win32 systems (Windows XP) have a packet filtering API which allows you to write your own filters. I don't know anything about them, however, and there is a good possibility you have to write your filter as a native kernel-mode application.

There may be some 3rd party firewalls (esp. expensive ones like FW1) which provide a user-level packet filtering API. This is likely to decrease the performance of your router.

[Tiger Shark]

Slarty: All your points are well taken but I'm not sure security is what Tampa, (spit, spit..... Go Raiders.... ) had in mind necessarily 'cos I'm quite sure he is conversant with firewalls. Therefore I suggested the Snort option since it would function if all he wanted was packets, (and I'm assuming he was really referring to connections), dropped.

I did make a few assumptions - but he was a little vague....<s>

[KissCool]

Microsoft included in Win 2000 a basic filtering system. You should be able to configure it via the routing and distant access service.
Or you can try a software called Pktfilter designed to configure it:
The homepage is here (it's in French, sorry. But you can easily find the link to the download section on the bottom of the text if you don't understand any french word).

KC