Block Inbound Connections to Port 500 UDP

Question

I am trying to block inbound UDP connections to port 500. I have the following firewall rule enabled for all network interfaces, but port 500 is still open. The IKE and AuthIP IPsec Keying Modules is running (Automatic (delayed) start up).

Rule Name: @BlockAllInbound - UDP Port 500

---

Enabled: Yes

Direction: In

Profiles: Domain,Private,Public

Grouping:

LocalIP: Any

RemoteIP: Any

Protocol: UDP

LocalPort: 500

RemotePort: Any

Edge traversal: No

Action: Block

sudo nmap [redacted] -p 500 -sU

Starting Nmap 6.40 ( http://nmap.org ) at 2023-01-24 11:03 CST

Nmap scan report for [redacted]

Host is up (0.037s latency).

PORT STATE SERVICE

500/udp open isakmp

System OS Information
OS Name: Microsoft Windows Server 2016 Datacenter

OS Version: 10.0.14393 N/A Build 14393

Answer 1

Hello Rob,

To better evaluate your options, you should perhaps first understand the role of sub-layers in WFP filter arbitration (https://learn.microsoft.com/en-us/windows/win32/fwp/filter-arbitration).

Filters that you create via "firewall rules" use the sub-layer FWPM_SUBLAYER_MPSSVC_WF and these filters will always be "trumped" by the FWPM_SUBLAYER_UNIVERSAL sub-layer rules created as part of the "WFP Built-in IKE Exemption Filter" mechanism.

The "WFP Built-in IKE Exemption Filter" filters are not always present - their presence depends on various factors ((e.g. IPsec) connection security rules, VPN incoming connections, VPN outgoing connection establishment, etc.).

Unless you have a full understanding of the implications and strong need, I would recommend dropping this idea.

Gary

Answer 2

Hi. Thank you for your question and reaching out. I’d be more than happy to help you with your query.

Broadcasting the port using a business rule and effectively using a null IP address could do the trick.

If the reply was helpful, please don’t forget to upvote or accept as answer, thank you.