Set up IPsec...

  • Thread starter Thread starter Michael A. Covington
  • Start date Start date
M

Michael A. Covington

Is it easy to set up IPsec to restrict the set of IP addresses from which my
server will accept connections on *one* port, while leaving all the other
ports unaffected?

--

Michael A. Covington - Artificial Intelligence Ctr - University of Georgia

"In the core C# language it is simply not possible to have an uninitialized
variable, a 'dangling' pointer, or an expression that indexes an array
beyond its bounds. Whole categories of bugs that routinely plague C and C++
programs are thus eliminated." - A. Hejlsberg, The C# Programming Language
 
Yes. Set up a mirrored rule that first blocks all inbound traffic on just the
specified port. Then add another mirrored rule to the policy that permits inbound
traffic on the specified port from just the IP addresses you specify. The filter
rules are such that you can add a host name, subnet, or individual IP address. If you
have a list of IP addresses, you will have to create an entry in the filter list for
each IP address. See the link below for an example of setting up ipsec
iltering. --- Steve

http://www.securityfocus.com/infocus/1559
http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.asp
 
Steven L Umbach said:
Yes. Set up a mirrored rule that first blocks all inbound traffic on just the
specified port. Then add another mirrored rule to the policy that permits inbound
traffic on the specified port from just the IP addresses you specify. The filter
rules are such that you can add a host name, subnet, or individual IP address. If you
have a list of IP addresses, you will have to create an entry in the filter list for
each IP address. See the link below for an example of setting up ipsec
iltering. --- Steve

http://www.securityfocus.com/infocus/1559
Click to expand...
http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.asp

Many thanks.

Now another question.

I see that I can define a filter to apply only to outside connections (vs.
LAN connections).

For this purpose, does a VPN connection count as LAN or as outside?

It would be handy if it counted as LAN. I'll experiment tomorrow and find
out...


Thanks,
Michael

(Is N9ROU your ham radio call sign? I'm N4TMI.)
 
I am not sure as I have never tried it other than apply to all. My understanding if
you have it configured on a rras server, then it could filter just lan and or all
traffic including remote access [remote access can also have it's own filters
including in Remote Access Policy/edit profile/IP]. If configured on a computer that
is not a rras server then I don't think it matters as any traffic that matches the
ipsec filter will be processed according to the policy as the non rras server would
have no way of knowing if that traffic originated from the lan or came in via VPN.

Nice to meet you Michael. My current calllsign is KK9ZZ. My main computer [that I am
on now] is in my den with my ham gear. I am listening to 40 meter QSO's on my sweet
tube Drake R-4B receiver and for activity on 2M ssb on my Kenwood TS 2000 as I
ype. --- Steve
 
Steven L Umbach said:
I am not sure as I have never tried it other than apply to all. My understanding if
you have it configured on a rras server, then it could filter just lan and or all
traffic including remote access [remote access can also have it's own filters
including in Remote Access Policy/edit profile/IP]. If configured on a computer that
is not a rras server then I don't think it matters as any traffic that matches the
ipsec filter will be processed according to the policy as the non rras server would
have no way of knowing if that traffic originated from the lan or came in
Click to expand...
via VPN.

Actually my server seems to be unable to distinguish LAN from "outside"
connections at all, so instead I'm filtering by specific IP addresses.
Nice to meet you Michael. My current calllsign is KK9ZZ. My main computer [that I am
on now] is in my den with my ham gear. I am listening to 40 meter QSO's on my sweet
tube Drake R-4B receiver and for activity on 2M ssb on my Kenwood TS 2000 as I
type. --- Steve
Click to expand...

Ah, a purist like me :) I don't get on the air much but at one time was
doing a fair bit of QRP CW with an HW-8. Packet radio left me cold -- too
much like my day job!

VY 73
N4TMI
 
Back
Top