IP Security Policy was: Re: Simple software firewalls for Windows 2000 Server
From: Michael A. Covington (look_at_www.covingtoninnovations.com.for.address)
Date: Mon, 21 Jun 2004 19:12:14 -0400
> > Use the built-in IPSec filter functionality. See
> > and
> I know about IPSec and am using it. It's monstrously complicated and does
> not keep a log.
Speaking of IP Security Policy,
I've had no trouble doing relatively simple things, but when attempting more
elaborate setups, I fear I get mixed up trying to determine which rule
pre-empts which. The more specific rule is supposed to win -- right? What
are the exact criteria of specificity?
(There's a theorem in formal logic that if you have an axiom that "the more
specific rule wins," there will be situations in which your axiom cannot
tell you which of two conflicting rules will win. I'm not kidding. It's
called a "Tweety triangle.")
Also, exactly what does the "Mirrored" checkbox do? Any truth to the rumor
that it does not work as advertised?
What I *like* about IP Security Policy is that very specific rules can be
set. For instance, I have a machine that accepts TCP 3389 (Remote Desktop)
only from the static IP address of my home DSL line.