BUG: Win NT TCP/IP Security filters does not get enforced

[stnor () SWEDEN HP COM (Stefan Norberg)]

Regardless of settings in the TCP/IP Security filters any IP protocol is
accepted.

TCP/IP security configuration example:

Permit all TCP ports, Permit all UDP ports, Permit only IP protocols: 6

The easiest way to prove it's broken is to configure it to only allow
IP-protocol 6 (TCP) and then ping (ICMP) the host. ICMP being IP protocol 1
of course.

Another simple way to test this is to use Weld Pond's NT-port of Hobbit's
netcat  (http://www.l0pht.com/~weld/netcat/ ) to set up a udp-listener on a
host that is supposed to block udp. Then use netcat on another host to send
it a nice message.

CLIENT:
C:\>nc -u server 5000
tcp/ip security is broken :)

SERVER:
C:\>nc -u -l -p 5000
tcp/ip security is broken :)

windump: listening on \Device\Packet_El90x1
18:49:06.731069 CLIENT.3533 > SERVER.5000: udp 29

Seems pretty broken to us...

Tested on NT4.0 SP5 (both w. no hotfixes and all hotfixes)

Regards,

Stefan Norberg (stnor () sweden hp com , http://people.hp.se/stnor)
Daryl Banttari (daryl () windsorcs com)