Re: ipsec to block ip range

From: Roger Abell [MVP] (mvpNoSpam_at_asu.edu)
Date: 11/22/05 

Date: Tue, 22 Nov 2005 11:32:31 -0700

Don't worry, but do it right.
First, you can define an IPsec policy and not assign it.
That means it is not actively in use. You can then assign it and
it immediately becomes effective, and similarly you can unassign
it and its effects halt immediately.
So, if you were to define a policy, make sure it is not assigned,
and then define the desired rules, and finally assign it and test if
you have all desired allowed activity, and if not, unassign it with
only brief trauma.
For your case it sounds like you would want rules that
1. block everything (all protocols from any)
2. allow tcp 80 and 443 from any
3. allow tcp 3389 with your management machines used to TS
4. allow the various required (dns, ntp, smtp, sql) and DCs if
    in a domain threading this for only the intended IPs
5. block all for the rogue IPs, such as the Korean IP range.
as a base starting point.
What I do is define filters in the IPsec policy on webservers
named such as "Apr05 rogues", "May05 rogues" and as I have
bad-guy IPs show up I banish them in one of these, and then
after so long just delete the older filters to let that month's IP
off the hook (I mean "unbanish" them).

"Joe Gass" <joegass@online.nospam> wrote in message
news:egM%23lf47FHA.3232@TK2MSFTNGP12.phx.gbl...
> Hi,
> I have a web server - windows 2003 web edition, running dns, ftp, smtp,
> pop, etc
> Some nice people (from Korea) are bombarding my smtp server, always from
> the same subnet
> I'd like to block them but I don't have any experience with ipsec, I'm
> worrying that if I assign a rule blocking all traffic from this IP range
> everything else will stop working. Especially I don't want to get locked
> out from terminal services.
>
> I'm probably worrying unnecessarily, if someone could guide me through
> setting this up I'd greatly appreciatte it.
>
> Many thanks
> Joe
>
>