Re: Blocking IP Address from command line

From: Herb Martin (news_at_LearnQuick.com)
Date: 12/12/04

• Next message: Herb Martin: "Re: VPN users cannot see domain shares"
• Previous message: Kubla: "Re: Network not working"
• In reply to: Amy L.: "Re: Blocking IP Address from command line"
• Messages sorted by: [ date ] [ thread ]

---

Date: Sat, 11 Dec 2004 19:54:41 -0600

"Amy L." <amyl@paxemail.com> wrote in message
news:uhWcI683EHA.3908@TK2MSFTNGP12.phx.gbl...
> Do you know of any scalability issues with the IPSEC policy? I am
wondering
> if their is a limit either hardcoded limit or performance limitation of
> blocking too many ip addresses?
>

My filter-rule set is about 700-800 commands.

It was double that at one point.

It can tie up the machine's cpu a few minutes when it
processes but I think they may have improved on that
in one of the service packs of fixes because I can't
recall seeing it lately (on Win2000 server.)

-- 
Herb Martin
> Amy.
>
> "Herb Martin" <news@LearnQuick.com> wrote in message
> news:OrYr2d83EHA.3388@TK2MSFTNGP15.phx.gbl...
> > "Amy L." <amyl@paxemail.com> wrote in message
> > news:uSfNz273EHA.2624@TK2MSFTNGP10.phx.gbl...
> > > Is their a way to block ip addresses from a windows 2000/2003 from the
> > > command prompt or programmatically?  I looked at using the IPSEC
policy
> > but
> > > it appears from the examples I seen it can be used to block ports, but
I
> > > didnt see any examples for blocking single or groups of ip addresses.
> >
> > Yes and the answer is to use IPSec  -- ports can be wildcarded.
> >
> > > Essentially, I want to block bad ip addresses on a server
> programmatically
> > > based on conditions I define.  Can the IPSEC command line tool do this
> or
> > > any other tool available on a windows platform.  Any thoughts?
> >
> > Yes.  IPSecCMD (XP) and IPSecPol (2K can do it.
> >
> > Also NetSh (Win2003 server).  It's tedious to setup
> > and probably isn't suitable for (real time) dynamic
> > use if you are trying to build a responsive, dynamic
> > IDS or some such.
> >
> >
> >
>
>

---

• Next message: Herb Martin: "Re: VPN users cannot see domain shares"
• Previous message: Kubla: "Re: Network not working"
• In reply to: Amy L.: "Re: Blocking IP Address from command line"
• Messages sorted by: [ date ] [ thread ]

---

Relevant Pages Re: PPTP and IPSec Policy ... By setting the ipsec policy on the client to default response (in the IPSec ... > I have a W2k Server with routing and remote access installed. ... (microsoft.public.win2000.ras_routing) Re: not able to browse domain ... If you are in a domain you need to make sure that your domain controllers ... ipsec to communicate with domain member computers and even an ipsec request ... Even a properly configured ipsec policy can ... > want to use to backup another server. ... (microsoft.public.win2000.security) Re: IPsec on Windows 2003 ... that it blocks communication between the ipsec service and its driver or its ... created by not having your active ipsec policy functioning. ... If you indeed have no ipsec policy assigned to the server (remember that VPN ... (microsoft.public.windows.server.security) Re: SBS Server keeps shutting down ... as we have had a few power cuts recently and the server kept chugging along. ... I have no idea what IPSec is ... multiple reboot mentioned above and some other troubleshooting steps ... (microsoft.public.windows.server.sbs) Re: L2TP/IPSec Verbindung läuft mit XP SP2 nicht mehr ... In XPSP2 the IPsec driver needs a registry setting when either the ... server or workstation are behind a NAT gateway. ... 1- Client initiates to a server that is behind the NAT ... > Peer Private Addr ... (microsoft.public.de.german.windowsxp.networking)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(11)