One of the things that I really miss about Linux-based boxen when I’m working with Windows from time to time is the fact that the built-in Windows firewall capabilities are just downright anemic when compared to the power and flexibility of iptables.
Sure, there’s Windows Firewall, RRAS, Advanced TCP/IP Filtering (which is anything but advanced), and IPSec Policies that come with Windows and allow you to firewall things off. Unfortunately, while Windows Firewall and RRAS (with respect to “Basic Firewall” in Windows Server 2003) do a passable job of an inbound host firewall, there is really just nothing that comes with Windows that is reasonably good at managing a complicated network (e.g. multi-machine) firewall.
RRAS has built-in static packet filtering, but it’s downright ridiculously limited given the fact that it’s something that it is ostensibly oriented towards network administrators (who should, theoretically, know what they’re doing). You essentially have the option of creating either an allow list with a default deny, or a deny list with a default allow, and that’s it. (There’s also not really any support for stateful packet filtering in this mode of RRAS, as is available from Basic Firewall, although you can at least differentiate between established and non-established TCP packets. Barely.)
IPSec Policies are slightly less limited than RRAS static packet filtering, but they’re still nowhere near expressive enough for any sort of non-trivial network firewall configuration. You can at least mix and match allow and deny rules, but the ordering is only based on netmask and, as far as I know, is otherwise not user controllable.
Iptables and ip_conntrack, on the other hand, are highly expressive and allow one to comparatively easily create rules that are either downright impossible or extremely difficult to do (e.g. requiring convoluted use of both RRAS static packet filtering and IPSec Policies) in any managable fashion with the built-in Windows firewall tools. As and added bonus, they also have highly flexible NAT capabilities built-in that easily integrate and cooperate with firewall rules.
Now, it’s not really a matter of there being anything that is technically wrong or deficient with the Windows networking stack that would prevent there being a reasonably high quality firewall, but more that just nobody has gone out and done it and shipped it with the platform. (No, I don’t count the “personal firewall” type things that ship with XYZ AV/”Home Security” product as anywhere in this category. I don’t trust those far enough to not create security holes, much less act competently as a firewall.)
There are a number of various third party firewall packages out there, but I tend to be fairly suspicious of installing third party code on my boxes in general, much less third party kernel level code that is facing the network outside of any firewall or packet filtering. Most of them don’t seem to have anywhere near the sort of capabilities that iptables provides, anyway.
Add iproute2 to the wishlist!
One of the things that is most missing is the ability to choose packet routing on more than just destination IP address. With iproute2 you can route based on source address, and/or any port combination!
You just can’t multihome correctly without decent routing, and connection tracking :-)
I agree. While most 3rd-party packages are suspect, CORE Security has produced an open source port of OpenBSD’s pf to Windows. The CORE guys are generally good programmers and pf is the leading BSD firewall package so I trust this more than most Windows software. As a bonus, it has per-process policy enforcement to prevent a bug in IE from compromising your whole system.
http://force.coresecurity.com/
Perhaps the Sieve project can tide you over until Redmond catches up?
http://www.vmware.com/appliances/directory/245
I’ve meant to play with it for quite some time now.
There is a command-line tool with IPFilter-like syntax for Windows available here : http://sourceforge.net/projects/pktfilter
It relies on Windows packet filter (being only a userspace configuration component), and has been written by J.-B. Marchand (who is well-known for his RPC stuff).
Not a silver bullet, but worth a try …