re: Lose Outbound Web Access - Network

This is a discussion on re: Lose Outbound Web Access - Network ; Yes, you are correct. IPsec is not a stateful firewall, it is only able to match packets against its filters and block, permit, or secure them. As far as your ports problem - Make sure you have the inbound/outbound mapping ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: re: Lose Outbound Web Access

  1. re: Lose Outbound Web Access

    Yes, you are correct. IPsec is not a stateful firewall, it is only able to match packets against its filters and block, permit, or secure them.

    As far as your ports problem - Make sure you have the inbound/outbound mapping correct in your filters. Are you setting a "Block All" type filter at all? A sample of your IPSecPol usage would help.

    -Mark Swift
    Windows Networking Test Lead for IPsec

    Got IPsec Questions? Visit the IPsec FAQ:
    http://www.microsoft.com/windowsserv.../ipsecfaq.mspx
    Not in the FAQ? Tell me.

    -----Original Message-----
    From: Charlie@discussions.microsoft.com
    Posted At: Wednesday, August 03, 2005 6:42 PM
    Posted To: microsoft.public.windows.networking.ipsec
    Conversation: Lose Outbound Web Access
    Subject: Lose Outbound Web Access


    I work for an organization that uses a "firewall" that blocks only ports
    below 1024. In order to feel safe about using services such as RDP, I have
    to come up with my own security solutions. I have a Win2K, SP4 file server
    on which I have created some batch files using IPSecPol. I've successfully
    limited the port for RDP (3389) so that it's accessible only from our network
    by using this method.

    There are a few apps using some other high ports (8000, 8081, 8082). When I
    tried to do the same for those ports by using the same batch file and simply
    replacing 3389 with ANY of the above ports, I lose outbound Web access to
    anything outside of our network. It's as though the client needs those ports
    for the return packets when it sends anything to port 80. Does this make any
    sense?

    By the way, as far as I can tell there is no way to use IPSec to block only
    unsolicited incoming packets. It seems to be all or nothing, at least for
    this aspect of it. Am I correct?

    Thanks.

  2. re: Lose Outbound Web Access

    Thanks for the response. I have been checking back but didn't notice it
    until today.

    Here is a copy of the batch file that configures the policy using ipsecpol:

    ipsecpol -w REG -p "xxxx IPSec Policy" -r "Limit RDP" -f
    136.167.*=0:3389:TCP -n PASS
    ipsecpol -w REG -p "xxxx IPSec Policy" -r "Block RDP" -f *=0:3389:TCP -n BLOCK
    ipsecpol -w REG -p "xxxx IPSec Policy" -r "Limit 8000" -f
    136.167.*=0:8000:TCP -n PASS
    ipsecpol -w REG -p "xxxx IPSec Policy" -r "Block 8000" -f *=0:8000:TCP -n
    BLOCK
    ipsecpol -w REG -p "xxxx IPSec Policy" -r "Limit ePO" -f
    136.167.*=0:8081:TCP -n PASS
    ipsecpol -w REG -p "xxxx IPSec Policy" -r "Block ePO" -f *=0:8081:TCP -n BLOCK
    rem Replace xxxx with server name. This is only for the purpose of
    identifying the policy.

    This has worked well to allow me to access port 3389 from anywhere on the
    136.167.0.0/16 network, but not from anywhere else.
    I'm just not sure why restricting ports 8000 and 8081 in the same way would
    cause problems when I make a connection to port 80 on a server outside the
    network. It's as if the remote server needs to return packets to 8000 and/or
    8081 on my server.

    Thanks.


    "Mark Swift [MSFT]" wrote:

    > Yes, you are correct. IPsec is not a stateful firewall, it is only able to match packets against its filters and block, permit, or secure them.
    >
    > As far as your ports problem - Make sure you have the inbound/outbound mapping correct in your filters. Are you setting a "Block All" type filter at all? A sample of your IPSecPol usage would help.
    >
    > -Mark Swift
    > Windows Networking Test Lead for IPsec
    >
    > Got IPsec Questions? Visit the IPsec FAQ:
    > http://www.microsoft.com/windowsserv.../ipsecfaq.mspx
    > Not in the FAQ? Tell me.
    >
    > -----Original Message-----
    > From: Charlie@discussions.microsoft.com
    > Posted At: Wednesday, August 03, 2005 6:42 PM
    > Posted To: microsoft.public.windows.networking.ipsec
    > Conversation: Lose Outbound Web Access
    > Subject: Lose Outbound Web Access
    >
    >
    > I work for an organization that uses a "firewall" that blocks only ports
    > below 1024. In order to feel safe about using services such as RDP, I have
    > to come up with my own security solutions. I have a Win2K, SP4 file server
    > on which I have created some batch files using IPSecPol. I've successfully
    > limited the port for RDP (3389) so that it's accessible only from our network
    > by using this method.
    >
    > There are a few apps using some other high ports (8000, 8081, 8082). When I
    > tried to do the same for those ports by using the same batch file and simply
    > replacing 3389 with ANY of the above ports, I lose outbound Web access to
    > anything outside of our network. It's as though the client needs those ports
    > for the return packets when it sends anything to port 80. Does this make any
    > sense?
    >
    > By the way, as far as I can tell there is no way to use IPSec to block only
    > unsolicited incoming packets. It seems to be all or nothing, at least for
    > this aspect of it. Am I correct?
    >
    > Thanks.
    >


+ Reply to Thread