Block Inbound Connections to Port 500 UDP

Rob Shelton 0 Reputation points
2023-01-24T17:05:45.6733333+00:00

I am trying to block inbound UDP connections to port 500. I have the following firewall rule enabled for all network interfaces, but port 500 is still open. The IKE and AuthIP IPsec Keying Modules is running (Automatic (delayed) start up).

Rule Name: @BlockAllInbound - UDP Port 500


Enabled: Yes

Direction: In

Profiles: Domain,Private,Public

Grouping:

LocalIP: Any

RemoteIP: Any

Protocol: UDP

LocalPort: 500

RemotePort: Any

Edge traversal: No

Action: Block

sudo nmap [redacted] -p 500 -sU

Starting Nmap 6.40 ( http://nmap.org ) at 2023-01-24 11:03 CST

Nmap scan report for [redacted]

Host is up (0.037s latency).

PORT STATE SERVICE

500/udp open isakmp

System OS Information
OS Name: Microsoft Windows Server 2016 Datacenter

OS Version: 10.0.14393 N/A Build 14393

Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,318 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
11,716 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Gary Nebbett 5,631 Reputation points
    2023-01-24T18:45:59.33+00:00

    Hello Rob,

    To better evaluate your options, you should perhaps first understand the role of sub-layers in WFP filter arbitration (https://learn.microsoft.com/en-us/windows/win32/fwp/filter-arbitration).

    Filters that you create via "firewall rules" use the sub-layer FWPM_SUBLAYER_MPSSVC_WF and these filters will always be "trumped" by the FWPM_SUBLAYER_UNIVERSAL sub-layer rules created as part of the "WFP Built-in IKE Exemption Filter" mechanism.

    The "WFP Built-in IKE Exemption Filter" filters are not always present - their presence depends on various factors ((e.g. IPsec) connection security rules, VPN incoming connections, VPN outgoing connection establishment, etc.).

    Unless you have a full understanding of the implications and strong need, I would recommend dropping this idea.

    Gary

    0 comments No comments

  2. Limitless Technology 43,986 Reputation points
    2023-01-25T19:07:02.0366667+00:00

    Hi. Thank you for your question and reaching out. I’d be more than happy to help you with your query.

    Broadcasting the port using a business rule and effectively using a null IP address could do the trick.

    If the reply was helpful, please don’t forget to upvote or accept as answer, thank you.

    0 comments No comments