Blocking IP Address from command line

[Amy L.]

Is their a way to block ip addresses from a windows 2000/2003 from the
command prompt or programmatically? I looked at using the IPSEC policy but
it appears from the examples I seen it can be used to block ports, but I
didnt see any examples for blocking single or groups of ip addresses.

Essentially, I want to block bad ip addresses on a server programmatically
based on conditions I define. Can the IPSEC command line tool do this or
any other tool available on a windows platform. Any thoughts?

Thanks
Amy.

 

[Herb Martin]

Is their a way to block ip addresses from a windows 2000/2003 from the
command prompt or programmatically? I looked at using the IPSEC policy but
it appears from the examples I seen it can be used to block ports, but I
didnt see any examples for blocking single or groups of ip addresses.

Yes and the answer is to use IPSec -- ports can be wildcarded.

Essentially, I want to block bad ip addresses on a server programmatically
based on conditions I define. Can the IPSEC command line tool do this or
any other tool available on a windows platform. Any thoughts?

Yes. IPSecCMD (XP) and IPSecPol (2K can do it.

Also NetSh (Win2003 server). It's tedious to setup
and probably isn't suitable for (real time) dynamic
use if you are trying to build a responsive, dynamic
IDS or some such.

 

[Amy L.]

Do you know of any scalability issues with the IPSEC policy? I am wondering
if their is a limit either hardcoded limit or performance limitation of
blocking too many ip addresses?

Amy.

 

[Herb Martin]

Do you know of any scalability issues with the IPSEC policy? I am wondering
if their is a limit either hardcoded limit or performance limitation of
blocking too many ip addresses?

My filter-rule set is about 700-800 commands.

It was double that at one point.

It can tie up the machine's cpu a few minutes when it
processes but I think they may have improved on that
in one of the service packs of fixes because I can't
recall seeing it lately (on Win2000 server.)