Click here to get back home

ipsec to block ip range
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
ipsec to block ip range Joe Gass 11-22-2005
Get Chitika Premium
Posted by Joe Gass on November 22, 2005, 12:12 pm
Please log in for more thread options
 Hi,
I have a web server - windows 2003 web edition, running dns, ftp, smtp, pop,
etc
Some nice people (from Korea) are bombarding my smtp server, always from the
same subnet
I'd like to block them but I don't have any experience with ipsec, I'm
worrying that if I assign a rule blocking all traffic from this IP range
everything else will stop working. Especially I don't want to get locked
out from terminal services.

I'm probably worrying unnecessarily, if someone could guide me through
setting this up I'd greatly appreciatte it.

Many thanks
Joe



Posted by Roger Abell [MVP] on November 22, 2005, 1:32 pm
Please log in for more thread options
 Don't worry, but do it right.
First, you can define an IPsec policy and not assign it.
That means it is not actively in use. You can then assign it and
it immediately becomes effective, and similarly you can unassign
it and its effects halt immediately.
So, if you were to define a policy, make sure it is not assigned,
and then define the desired rules, and finally assign it and test if
you have all desired allowed activity, and if not, unassign it with
only brief trauma.
For your case it sounds like you would want rules that
1. block everything (all protocols from any)
2. allow tcp 80 and 443 from any
3. allow tcp 3389 with your management machines used to TS
4. allow the various required (dns, ntp, smtp, sql) and DCs if
in a domain threading this for only the intended IPs
5. block all for the rogue IPs, such as the Korean IP range.
as a base starting point.
What I do is define filters in the IPsec policy on webservers
named such as "Apr05 rogues", "May05 rogues" and as I have
bad-guy IPs show up I banish them in one of these, and then
after so long just delete the older filters to let that month's IP
off the hook (I mean "unbanish" them).

> Hi,
> I have a web server - windows 2003 web edition, running dns, ftp, smtp,
> pop, etc
> Some nice people (from Korea) are bombarding my smtp server, always from
> the same subnet
> I'd like to block them but I don't have any experience with ipsec, I'm
> worrying that if I assign a rule blocking all traffic from this IP range
> everything else will stop working. Especially I don't want to get locked
> out from terminal services.
>
> I'm probably worrying unnecessarily, if someone could guide me through
> setting this up I'd greatly appreciatte it.
>
> Many thanks
> Joe
>
>



Posted by google on November 22, 2005, 1:43 pm
Please log in for more thread options
Thanks for the advice.
If I only define 1 rule: block IPs from the rogue range - will
everything else continue as it was before, i.e. everything enabled?
I can see the sense in locking everything down and then opening up
everything that's required, but I don't think I'm brave enough to do
that yet :)

Cheers


Roger Abell [MVP] wrote:

> Don't worry, but do it right.
> First, you can define an IPsec policy and not assign it.
> That means it is not actively in use. You can then assign it and
> it immediately becomes effective, and similarly you can unassign
> it and its effects halt immediately.
> So, if you were to define a policy, make sure it is not assigned,
> and then define the desired rules, and finally assign it and test if
> you have all desired allowed activity, and if not, unassign it with
> only brief trauma.
> For your case it sounds like you would want rules that
> 1. block everything (all protocols from any)
> 2. allow tcp 80 and 443 from any
> 3. allow tcp 3389 with your management machines used to TS
> 4. allow the various required (dns, ntp, smtp, sql) and DCs if
> in a domain threading this for only the intended IPs
> 5. block all for the rogue IPs, such as the Korean IP range.
> as a base starting point.
> What I do is define filters in the IPsec policy on webservers
> named such as "Apr05 rogues", "May05 rogues" and as I have
> bad-guy IPs show up I banish them in one of these, and then
> after so long just delete the older filters to let that month's IP
> off the hook (I mean "unbanish" them).
>
> > Hi,
> > I have a web server - windows 2003 web edition, running dns, ftp, smtp,
> > pop, etc
> > Some nice people (from Korea) are bombarding my smtp server, always from
> > the same subnet
> > I'd like to block them but I don't have any experience with ipsec, I'm
> > worrying that if I assign a rule blocking all traffic from this IP range
> > everything else will stop working. Especially I don't want to get locked
> > out from terminal services.
> >
> > I'm probably worrying unnecessarily, if someone could guide me through
> > setting this up I'd greatly appreciatte it.
> >
> > Many thanks
> > Joe
> >
> >


Posted by google on November 22, 2005, 1:57 pm
Please log in for more thread options
If I'm OK to set up 1 rule, then is this the correct way to do it?

Create IP security policy
Name it "Block Koreans"
Keep the checkbox "activate the default response rule" checked
Kerberos - say yes to prompt

This gives me a window of IP security rules, with 1 rule "<Dynamic>"

Here I add a new rule
Select no tunnel
Select all network
Add a filter list, name it "Korean Spammer"
Leave "Mirrored" checkbox on
Traffic source - add the subnet in
Destination: My IP
Protocol: any
Select newly created filter
Create a new filter action - to deny/block


Posted by google on November 22, 2005, 4:09 pm
Please log in for more thread options
Phew!
wasn't too bad after all.
I simply added the new rule to the currently activated security policy
which was already very well locked down.

Thanks for your help, much appreciated


Similar ThreadsPosted
Re: Port Range in Exceptions June 14, 2005, 11:28 pm
network filetering my range of IP addresses July 29, 2005, 11:23 am
W2K - Block USB through GPO ? July 12, 2005, 10:43 am
block IM August 19, 2005, 11:16 am
Block MSN Messenger August 18, 2005, 5:03 pm
Block Toolbars April 26, 2006, 1:22 pm
How to Block UltraSurf? July 17, 2008, 9:50 am
Block file copy October 4, 2005, 10:10 am
Block server reboots? April 4, 2007, 2:22 pm
Block Remote Control July 6, 2007, 1:18 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap