Rem DIALUP2K.CMD

Rem Create a "Simple Packet Filter" to protect Windows 2000 against
Rem attacks over dial-up connections.

Rem Copyright (C) 2000-2011, Stefan Kanthak <skanthak@nexgo.de>

If "%NTResKit%" == "" GoTo :EOF
If Not Exist "%NTResKit%\Tools\IPSecPol.Exe" GoTo :EOF

Rem Deactivate the "Simple Packet Filter"
"%NTResKit%\Tools\IPSecPol.Exe" -w REG -p "Simple Packet Filter" -y

Rem Delete the "Simple Packet Filter" (clear all of it's filter rules)
"%NTResKit%\Tools\IPSecPol.Exe" -w REG -p "Simple Packet Filter" -o

Rem Define filter rules for the LAN interface(s)
Rem "%NTResKit%\Tools\IPSecPol.Exe" -lan -w REG -p "Simple Packet Filter" -r "Block inbound" -n BLOCK -f *+0
Rem "%NTResKit%\Tools\IPSecPol.Exe" -lan -w REG -p "Simple Packet Filter" -r "Allow private subnets" -n PASS -f 10.0.0.0/255.0.0.0+0 -f 127.0.0.0/255.0.0.0+0 -f 172.16.0.0/255.240.0.0+0 -f 169.254.0.0/255.255.0.0+0 -f 192.168.0.0/255.255.0.0+0

Rem Define filter rules for the dial-up interface(s)
Rem "%NTResKit%\Tools\IPSecPol.Exe" -dialup -w REG -p "Simple Packet Filter" -r "Allow outbound" -n PASS -f 0+*
Rem "%NTResKit%\Tools\IPSecPol.Exe" -dialup -w REG -p "Simple Packet Filter" -r "Block private subnets" -n BLOCK -f 10.0.0.0/255.0.0.0+0 -f 127.0.0.0/255.0.0.0+0 -f 172.16.0.0/255.240.0.0+0 -f 169.254.0.0/255.255.0.0+0 -f 192.168.0.0/255.255.0.0+0

"%NTResKit%\Tools\IPSecPol.Exe" -dialup -w REG -p "Simple Packet Filter" -r "Block inbound Echo" -n BLOCK -f *+0:7:TCP -f *+0:7:UDP
"%NTResKit%\Tools\IPSecPol.Exe" -dialup -w REG -p "Simple Packet Filter" -r "Block inbound Discard" -n BLOCK -f *+0:9:TCP -f *+0:9:UDP
"%NTResKit%\Tools\IPSecPol.Exe" -dialup -w REG -p "Simple Packet Filter" -r "Block inbound DayTime" -n BLOCK -f *+0:13:TCP -f *+0:13:UDP
"%NTResKit%\Tools\IPSecPol.Exe" -dialup -w REG -p "Simple Packet Filter" -r "Block inbound QuoteOfTheDay" -n BLOCK -f *+0:17:TCP -f *+0:17:UDP
"%NTResKit%\Tools\IPSecPol.Exe" -dialup -w REG -p "Simple Packet Filter" -r "Block inbound CharGen" -n BLOCK -f *+0:19:TCP -f *+0:19:UDP
"%NTResKit%\Tools\IPSecPol.Exe" -dialup -w REG -p "Simple Packet Filter" -r "Block inbound FTP" -n BLOCK -f *+0:20:TCP -f *+0:21:TCP
"%NTResKit%\Tools\IPSecPol.Exe" -dialup -w REG -p "Simple Packet Filter" -r "Block inbound SSH" -n BLOCK -f *+0:22:TCP
"%NTResKit%\Tools\IPSecPol.Exe" -dialup -w REG -p "Simple Packet Filter" -r "Block inbound Telnet" -n BLOCK -f *+0:23:TCP
"%NTResKit%\Tools\IPSecPol.Exe" -dialup -w REG -p "Simple Packet Filter" -r "Block inbound SMTP and SMTP/SSL" -n BLOCK -f *+0:25:TCP -f *+0:465:TCP
"%NTResKit%\Tools\IPSecPol.Exe" -dialup -w REG -p "Simple Packet Filter" -r "Block inbound WINS" -n BLOCK -f *+0:42:TCP -f *+0:42:UDP -f *+0:1512:TCP -f *+0:1512:UDP
"%NTResKit%\Tools\IPSecPol.Exe" -dialup -w REG -p "Simple Packet Filter" -r "Block inbound DHCP" -n BLOCK -f *+0:67:UDP -f *+0:68:UDP
"%NTResKit%\Tools\IPSecPol.Exe" -dialup -w REG -p "Simple Packet Filter" -r "Block inbound TFTP" -n BLOCK -f *+0:69:UDP
"%NTResKit%\Tools\IPSecPol.Exe" -dialup -w REG -p "Simple Packet Filter" -r "Block inbound Finger" -n BLOCK -f *+0:79:TCP
"%NTResKit%\Tools\IPSecPol.Exe" -dialup -w REG -p "Simple Packet Filter" -r "Block inbound HTTP and HTTP/SSL" -n BLOCK -f *+0:80:TCP -f *+0:443:TCP
"%NTResKit%\Tools\IPSecPol.Exe" -dialup -w REG -p "Simple Packet Filter" -r "Block inbound Kerberos" -n BLOCK -f *+0:88:TCP -f *+0:88:UDP -f *+0:464:TCP
"%NTResKit%\Tools\IPSecPol.Exe" -dialup -w REG -p "Simple Packet Filter" -r "Block inbound POP3 and POP3/SSL" -n BLOCK -f *+0:110:TCP -f *+0:995:TCP
"%NTResKit%\Tools\IPSecPol.Exe" -dialup -w REG -p "Simple Packet Filter" -r "Block inbound Ident" -n BLOCK -f *+0:113:TCP
"%NTResKit%\Tools\IPSecPol.Exe" -dialup -w REG -p "Simple Packet Filter" -r "Block inbound NNTP and NNTP/SSL" -n BLOCK -f *+0:119:TCP -f *+0:563:TCP
Rem "%NTResKit%\Tools\IPSecPol.Exe" -dialup -w REG -p "Simple Packet Filter" -r "Block inbound [S]NTP" -n BLOCK -f *+0:123:TCP -f *+0:123:UDP
"%NTResKit%\Tools\IPSecPol.Exe" -dialup -w REG -p "Simple Packet Filter" -r "Block inbound RPC EPMap" -n BLOCK -f *+0:135:TCP -f *+0:135:UDP
"%NTResKit%\Tools\IPSecPol.Exe" -dialup -w REG -p "Simple Packet Filter" -r "Block inbound NetBIOS" -n BLOCK -f *+0:137:TCP -f *+0:137:UDP -f *+0:138:UDP -f *+0:139:TCP
"%NTResKit%\Tools\IPSecPol.Exe" -dialup -w REG -p "Simple Packet Filter" -r "Block inbound IMAP4 and IMAP4/SSL" -n BLOCK -f *+0:143:TCP -f *+0:993:TCP
"%NTResKit%\Tools\IPSecPol.Exe" -dialup -w REG -p "Simple Packet Filter" -r "Block inbound SNMP and SNMP Trap" -n BLOCK -f *+0:161:UDP -f *+0:162:UDP
"%NTResKit%\Tools\IPSecPol.Exe" -dialup -w REG -p "Simple Packet Filter" -r "Block inbound IPX over IP" -n BLOCK -f *+0:213:TCP
"%NTResKit%\Tools\IPSecPol.Exe" -dialup -w REG -p "Simple Packet Filter" -r "Block inbound LDAP and LDAP/SSL" -n BLOCK -f *+0:389:TCP -f *+0:389:UDP -f *+0:636:TCP
"%NTResKit%\Tools\IPSecPol.Exe" -dialup -w REG -p "Simple Packet Filter" -r "Block inbound SMB" -n BLOCK -f *+0:445:TCP -f *+0:445:UDP
"%NTResKit%\Tools\IPSecPol.Exe" -dialup -w REG -p "Simple Packet Filter" -r "Block inbound Syslog" -n BLOCK -f *+0:514:UDP
"%NTResKit%\Tools\IPSecPol.Exe" -dialup -w REG -p "Simple Packet Filter" -r "Block inbound LPD/LPR" -n BLOCK -f *+0:515:TCP
"%NTResKit%\Tools\IPSecPol.Exe" -dialup -w REG -p "Simple Packet Filter" -r "Block inbound DCOM over HTTP" -n BLOCK -f *+0:593:TCP
"%NTResKit%\Tools\IPSecPol.Exe" -dialup -w REG -p "Simple Packet Filter" -r "Block inbound MSP" -n BLOCK -f *+0:587:TCP
"%NTResKit%\Tools\IPSecPol.Exe" -dialup -w REG -p "Simple Packet Filter" -r "Block inbound IPP" -n BLOCK -f *+0:631:TCP
"%NTResKit%\Tools\IPSecPol.Exe" -dialup -w REG -p "Simple Packet Filter" -r "Block inbound MS-Schedule" -n BLOCK -f *+0:1025:TCP
"%NTResKit%\Tools\IPSecPol.Exe" -dialup -w REG -p "Simple Packet Filter" -r "Block inbound SOCKS" -n BLOCK -f *+0:1080:TCP
"%NTResKit%\Tools\IPSecPol.Exe" -dialup -w REG -p "Simple Packet Filter" -r "Block inbound MS-SQL" -n BLOCK -f *+0:1433:TCP -f *+0:1433:UDP -f *+0:1434:TCP -f *+0:1434:UDP
"%NTResKit%\Tools\IPSecPol.Exe" -dialup -w REG -p "Simple Packet Filter" -r "Block inbound T.120" -n BLOCK -f *+0:1503:TCP
"%NTResKit%\Tools\IPSecPol.Exe" -dialup -w REG -p "Simple Packet Filter" -r "Block inbound H.323/Q.931" -n BLOCK -f *+0:1720:TCP
"%NTResKit%\Tools\IPSecPol.Exe" -dialup -w REG -p "Simple Packet Filter" -r "Block inbound GC and GC with LDAP/SSL" -n BLOCK -f *+0:3268:TCP -f *+0:3268:UDP -f *+0:3269:TCP
"%NTResKit%\Tools\IPSecPol.Exe" -dialup -w REG -p "Simple Packet Filter" -r "Block inbound Terminal Server" -n BLOCK -f *+0:3389:TCP

"%NTResKit%\Tools\IPSecPol.Exe" -dialup -w REG -p "Simple Packet Filter" -r "Allow outbound FTP" -n PASS -f 0+*:20:TCP -f 0+*:21:TCP
"%NTResKit%\Tools\IPSecPol.Exe" -dialup -w REG -p "Simple Packet Filter" -r "Allow outbound SSH" -n PASS -f 0+*:22:TCP
"%NTResKit%\Tools\IPSecPol.Exe" -dialup -w REG -p "Simple Packet Filter" -r "Allow outbound SMTP and SMTP/SSL" -n PASS -f 0+*:25:TCP -f 0+*:465:TCP
"%NTResKit%\Tools\IPSecPol.Exe" -dialup -w REG -p "Simple Packet Filter" -r "Allow outbound DNS" -n PASS -f 0+*:53:TCP -f 0+*:53:UDP
Rem "%NTResKit%\Tools\IPSecPol.Exe" -dialup -w REG -p "Simple Packet Filter" -r "Allow outbound DHCP" -n PASS -f 0+*:67:UDP -f 0+*:68:UDP
"%NTResKit%\Tools\IPSecPol.Exe" -dialup -w REG -p "Simple Packet Filter" -r "Allow outbound HTTP and HTTP/SSL" -n PASS -f 0+*:80:TCP -f 0+*:443:TCP
"%NTResKit%\Tools\IPSecPol.Exe" -dialup -w REG -p "Simple Packet Filter" -r "Allow outbound POP3 and POP3/SSL" -n PASS -f 0+*:110:TCP -f 0+*:995:TCP
"%NTResKit%\Tools\IPSecPol.Exe" -dialup -w REG -p "Simple Packet Filter" -r "Allow outbound NNTP and NNTP/SSL" -n PASS -f 0+*:119:TCP -f 0+*:563:TCP
"%NTResKit%\Tools\IPSecPol.Exe" -dialup -w REG -p "Simple Packet Filter" -r "Allow outbound NTP" -n PASS -f 0+*:123:TCP -f 0+*:123:UDP
"%NTResKit%\Tools\IPSecPol.Exe" -dialup -w REG -p "Simple Packet Filter" -r "Allow outbound IMAP4 and IMAP4/SSL" -n PASS -f 0+*:143:TCP -f 0+*:993:TCP
"%NTResKit%\Tools\IPSecPol.Exe" -dialup -w REG -p "Simple Packet Filter" -r "Allow outbound LDAP and LDAP/SSL" -n PASS -f 0+*:389:TCP -f 0+*:389:UDP -f 0+*:636:TCP
"%NTResKit%\Tools\IPSecPol.Exe" -dialup -w REG -p "Simple Packet Filter" -r "Allow outbound MSP" -n PASS -f 0+*:587:TCP
"%NTResKit%\Tools\IPSecPol.Exe" -dialup -w REG -p "Simple Packet Filter" -r "Allow outbound IPP" -n PASS -f 0+*:631:TCP
"%NTResKit%\Tools\IPSecPol.Exe" -dialup -w REG -p "Simple Packet Filter" -r "Allow outbound SOCKS" -n PASS -f 0+*:1080:TCP
"%NTResKit%\Tools\IPSecPol.Exe" -dialup -w REG -p "Simple Packet Filter" -r "Allow outbound GC and GC with LDAP/SSL" -n PASS -f 0+*:3268:TCP -f 0+*:3268:UDP -f 0+*:3269:TCP
"%NTResKit%\Tools\IPSecPol.Exe" -dialup -w REG -p "Simple Packet Filter" -r "Allow outbound Terminal Server" -n PASS -f 0+*:3389:TCP

Rem Activate the "Simple Packet Filter"
"%NTResKit%\Tools\IPSecPol.Exe" -w REG -p "Simple Packet Filter" -x