C
Calvin Lai
Hi all,
At the beginning I thought I could implement a firewall using IPSec provided
w/ Win2k Server. However, I have at least one scenario that can't be
implemented using IPSec that could be achieved thru firewall software.
Here is the problem:
I want to block all inbound IP request on every port except 80 and perhaps
21. On the other hand, I want my local network to access internet freely. As
a reuslt, a very naive approach would be to set up:
a. Create an IP filter to filter all TCP from ANY IP to MY IP, NO mirror,
and set this to Block
b. Create an IP filter to filter all TCP from ANY IP to MY IP, NO mirror,
port 80/21, and set this to Permit
however, this leads to a very serious problem. Whenever my client within the
network trying to fetch anything from outside, e.g. a web page. they IP
request can pass thru the policy (since there is no restriction on
outbound). But when the data comes back to the server, they are blocked
because of the first rule.
I coulnd't think of anyway how this could be fixed using IPSec. Does anyone
know if this is one of the constraints of using IPSec as "firewall"? Thanks
for all inputs here.
Calvin
At the beginning I thought I could implement a firewall using IPSec provided
w/ Win2k Server. However, I have at least one scenario that can't be
implemented using IPSec that could be achieved thru firewall software.
Here is the problem:
I want to block all inbound IP request on every port except 80 and perhaps
21. On the other hand, I want my local network to access internet freely. As
a reuslt, a very naive approach would be to set up:
a. Create an IP filter to filter all TCP from ANY IP to MY IP, NO mirror,
and set this to Block
b. Create an IP filter to filter all TCP from ANY IP to MY IP, NO mirror,
port 80/21, and set this to Permit
however, this leads to a very serious problem. Whenever my client within the
network trying to fetch anything from outside, e.g. a web page. they IP
request can pass thru the policy (since there is no restriction on
outbound). But when the data comes back to the server, they are blocked
because of the first rule.
I coulnd't think of anyway how this could be fixed using IPSec. Does anyone
know if this is one of the constraints of using IPSec as "firewall"? Thanks
for all inputs here.
Calvin