IPSec policies do not do port ranges very well, but Microsoft knows that.

I brought this up a few months ago on this forum in the "Port Ranges in
IPSec" thread (March 2002). That got me an email from Chris Black, IPSec
Program Manager at Microsoft. My response to him was this:

IPSec is often used as a poor-man's personal firewall on Windows
2000. Administrators can add a new "Filter Action" called "Deny" (just a
Block) to their IPSec configuration and easily gain the ability to
allow/deny traffic on the port level. (IPSec policies are often used for
this rather than the built-in IP Filtering feature because IPSec policies
are more readily exported and applied to lots of computers at once.)

A typical policy for an ecommerce server might look like this:
   Permit (Any IP) on (Any Port) to (My IP) on TCP 443 //
Internet access
   Permit (My IP) on (Any Port) to 10.0.01 on TCP 20035 // Backend
access
   Deny (Any IP) (All Traffic) to (My IP)
   Deny (My IP) (All Traffic) to (Any IP)

Ranges of ports would be incredibly useful to specify...
- Only "high ports" (>1023) i.e. (TCP 20 to TCP 1023-65535) for Active FTP
- Only "low ports" (<1024)
- A specific range of "RPC ports" i.e. (TCP 20001-20025)
- A specific range of "Data ports" for use with passive FTP i.e. (TCP
3000-3003)
- "NETBIOS" (135, 137, 138, 139, 445)

The usual syntax for ranges in the Microsoft world appears to be something
like "213-215," so that's what I'd probably suggest.

However, I haven't heard anything back, so can only guess they are mulling
it over.

-jgl

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]