Re: IPSec Filters and Orders
From: dseaman (dseaman_at_nospam.nospam)
Date: 12/04/04
- Next message: David Thielen: "Re: What happens to file ACLs when a user (the owner) is deleted"
- Previous message: Sektor: "Re: IPSec Filters and Orders"
- In reply to: Sektor: "Re: IPSec Filters and Orders"
- Next in thread: Sektor: "Re: IPSec Filters and Orders"
- Reply: Sektor: "Re: IPSec Filters and Orders"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 4 Dec 2004 11:49:03 -0800
Thanks..that did kind of help. I opened the snap-in and found that the DNS
and RDP rules had less weight than the block rules. How can I give the DNS
and RDP rules more weight? Here's what I think is going on, from your
description:
1. My 'block rules' are pretty specific..listing about 20 subnets that I
want to deny access to (deny any-to-any).
2. My DNS and RDP rules are somewhat more general...any-to-any subnet
allowed, but only certain ports.
To change the weight, I'm thinking I'll need a general 'deny all' rule, and
instead of specifying subnets that I want to block access to, I'll have an
allow rules for the subnets I DO want the machine talking to. I think that
would make the DNS and RDP rule more specific, and allow communications.
Sound good?
"Sektor" wrote:
> I'm using IPsec for XP and 2003 server too.
> I understood the IPsec Windows system uses the filter, and so it applies the
> filteraction associated, which defines the most restrective parameters.
> So if you have a filter which defines "any to any-deny" and another filter
> which defines, instead, "10.0.0.5 to any-permit" the second filter is
> applied because a more specific address is defined.
>
> You can see the weight for each filter using the IP Security Monitor
> snap-in, so you can understand which filter is applied when there are a
> conflict between two or more filters.
>
> Hope that helps.
> Bye.
> Sektor
>
> "dseaman" <dseaman@nospam.nospam> wrote in message
> news:06165819-897E-44A4-B911-82C77C485388@microsoft.com...
> >I am trying to configure a set of IPsec filters for XP and 2003 servers
> >that
> > blocks *all* inbound and outbound traffic to a specific set of subnets,
> > except for a few services (DNS and RDP).
> >
> > What I did is alter the 'client response' IPsec rule in group policy as
> > follows:
> >
> > Created a rule called 'block all', which has listed in it sub rules for
> > all
> > of the subnets I want to block access, with a filter action of block. This
> > works great, and no traffic seems to be passing.
> >
> > I then added two more rules called 'allow DNS' and 'allow RDP'. In there I
> > set the source and destinations to 'any' and 'any' and put ports 53 and
> > 3389
> > (in and outbound). DNS I have protocols UDP and TCP, and for RDP I only
> > allow
> > TCP. The filter action for these rules is 'permit'.
> >
> > My problem is that the exceptions don't seem to be working. All traffic is
> > blocked, but I can't access RDP or DNS on the other subnets. From what I
> > read, it seemed like that Windows would realize I want those exceptions in
> > the rule set, and allow them. But it seems the block all is overriding the
> > allow rules.
> >
> > What am I doing wrong? We have some developer assets that we need to
> > restrict access from certain subnets.
>
>
>
- Next message: David Thielen: "Re: What happens to file ACLs when a user (the owner) is deleted"
- Previous message: Sektor: "Re: IPSec Filters and Orders"
- In reply to: Sektor: "Re: IPSec Filters and Orders"
- Next in thread: Sektor: "Re: IPSec Filters and Orders"
- Reply: Sektor: "Re: IPSec Filters and Orders"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
