[REQUEST] [FEEDBACK] IPSec Standalone Workstation Policy
- From: can2two@xxxxxxxxxxx
- Date: 28 Feb 2007 07:01:31 -0800
:: IPSec Standalone Workstation Policy
:: ------------------------------------------------------
:: by can2two
:: 1. Deactivate the current policy:
ipseccmd -y
:: 2. Clear existing IPsec policies:
ipseccmd -o
:: Default Firewall response
:: -------------------------
:: 3. Block ALL network traffic
ipseccmd -w REG -p "Standalone Local Filter" -r "BLOCK ALL traffic" -f
*+0 -n BLOCK
:: Protocol Specific Rules
:: -----------------------
:: ICMP Settings
:: -------------
:: Echo reply
ipseccmd -w REG -p "Standalone Local Filter" -r "Echo reply" -f *
+0:0:ICMP -n ah[sha1]+esp[3des,sha1] PASS -1p -c
:: Destinbation Unreachable
ipseccmd -w REG -p "Standalone Local Filter" -r "Destinbation
Unreachable" -f *+0:3:ICMP -n ah[sha1]+esp[3des,sha1] PASS -1p -c
:: Echo request
ipseccmd -w REG -p "Standalone Local Filter" -r "Echo request" -f 0+*:
8:ICMP -n ah[sha1]+esp[3des,sha1] PASS -1p -c
:: Time exceed for a datagram
ipseccmd -w REG -p "Standalone Local Filter" -r "Time exceed for a
datagram" -f *+0:11:ICMP -n ah[sha1]+esp[3des,sha1] PASS -1p -c
:: Global Rules
:: ------------
:: Allow DNS Resolving
ipseccmd -w REG -p "Standalone Local Filter" -r "Allow DNS Resolving" -
f 0=*:53:TCP -f 0=*:53:UDP -n ah[sha1]+esp[3des,sha1] PASS -1p -c
:: Allow Outgoing DHCP [BOOTPS\BOOTPC] [546\547]
ipseccmd -w REG -p "Standalone Local Filter" -r "Allow Outgoing DHCP" -
f 0+*:546:UDP -f 0+*:547:UDP -n ah[sha1]+esp[3des,sha1] PASS -1p -c
:: Allow Inbound Identification
ipseccmd -w REG -p "Standalone Local Filter" -r "Allow Inbound
Identification" -f *=0:113:TCP -n ah[sha1]+esp[3des,sha1] PASS -1p -c
:: Allow Loopback (Testing)
ipseccmd -w REG -p "Standalone Local Filter" -r "Allow Loopback" -f
0=127.0.0.*/255.255.255.*::TCP -t 127.0.0.*/255.255.255.*::TCP -n
ah[sha1]+esp[3des,sha1] PASS -1p -c
:: Allow GRE Protocol (TESTING : HELP : Where the protocol is IP)
ipseccmd -w REG -p "Standalone Local Filter" -r "Allow GRE Protocol" -
f 0+*:47:IP -n ah[sha1]+esp[3des,sha1] PASS -1p -c
:: Allow PPTP control connection (HELP - Defining multiple ports)
(MONITORING May remove)
0:1024-65535:=*:1723:TCP -n ah[sha1]+esp[3des,sha1] PASS -1p -c
:: DHCP Service (Testing) (Where 73.89.16.1 is your ISP in my case
Comcast IP Services, L.L.C. OREGON-CDM-1)
:: Known security risk. Suggested *+0:68:UDP -n BLOCK <OR>
73.89.16.1+0:67:UDP -n ah[sha1]+esp[3des,sha1] PASS -1P -c MAYBE
ipseccmd -w REG -p "Standalone Local Filter" -r "DHCP Service" -f
0:68:UDP+73.89.16.1:67:UDP -n ah[sha1]+esp[3des,sha1] PASS -1p -c
:: Application Rules
:: -----------------
:: Browser HTTP connection
ipseccmd -w REG -p "Standalone Local Filter" -r "Browser HTTP
connection" -f 0=*:80:TCP -f 0=*:81:TCP -f 0=*:82:TCP -f 0=*:83:TCP -n
ah[sha1]+esp[3des,sha1] PASS -1p -c
:: Browser HTTPS connection
ipseccmd -w REG -p "Standalone Local Filter" -r "Browser HTTPS
connection" -f 0=*:443:TCP -n ah[sha1]+esp[3des,sha1] PASS -1p -c
:: Browser SOCKS connection
ipseccmd -w REG -p "Standalone Local Filter" -r "Browser SOCKS
connection" -f 0=*:1080:TCP -n ah[sha1]+esp[3des,sha1] PASS -1p -c
:: Browser PROXY connection
ipseccmd -w REG -p "Standalone Local Filter" -r "Browser PROXY
connection" -f 0=*:3128:TCP -f 0=*:8080:TCP -f 0=*:8088:TCP -n
ah[sha1]+esp[3des,sha1] PASS -1p -c
:: Browser FTP connection + Microsoft Application Layer Gateway
Service (alg.exe)
ipseccmd -w REG -p "Standalone Local Filter" -r "Browser FTP
connection + Microsoft Application Layer Gateway Service (alg.exe)" -f
0=*:21:TCP -n ah[sha1]+esp[3des,sha1] PASS -1p -c
:: IRC connection (outboand ports 6667-7000)
ipseccmd -w REG -p "Standalone Local Filter" -r "IRC connection" -f
0=*:6667:TCP -n ah[sha1]+esp[3des,sha1] PASS -1p -c
:: Jabber connection
ipseccmd -w REG -p "Standalone Local Filter" -r "Jabber connection" -f
0=208.245.212.98/255.255.255.255:5222:TCP -t
208.245.212.98/255.255.255.255:5222:TCP -f 0=jabber.org:5222:TCP -t
jabber.org:5222:TCP -f 0=*:5222:TCP -n ah[sha1]+esp[3des,sha1] PASS
-1p -c
:: MSN connection
ipseccmd -w REG -p "Standalone Local Filter" -r "MSN connection" -f
0=*:1863:TCP -n ah[sha1]+esp[3des,sha1] PASS -1p
:: Yahoo connection
ipseccmd -w REG -p "Standalone Local Filter" -r "Yahoo connection" -f
0=*:5050:TCP -n ah[sha1]+esp[3des,sha1] PASS -1p
:: Gopher connection
ipseccmd -w REG -p "Standalone Local Filter" -r "Gopher connection" -f
ipseccmd -w REG -p "Standalone Local Filter" -r "Gopher connection" -f
0=*:70:TCP -n ah[sha1]+esp[3des,sha1] PASS -1p -c
:: Whois connection
ipseccmd -w REG -p "Standalone Local Filter" -r "Whois connection" -f
0=198.41.0.6/255.255.255.255:43:TCP -t
198.41.0.6/255.255.255.255:43:TCP -f 0=whois.internic.net:43:TCP -t
whois.internic.net:43:TCP -n ah[sha1]+esp[3des,sha1] PASS -1p -c
:: Local Security Authority Service
ipseccmd -w REG -p "Standalone Local Filter" -r "Local Security
Authority Service" -f 0+*:88:UDP -f 0=*:1026:TCP -f 0=*:1027:TCP -f
0=*:1028:TCP -f 0=*:1029:TCP -n ah[sha1]+esp[3des,sha1] PASS -1p -c
:: NNTP connection
ipseccmd -w REG -p "Standalone Local Filter" -r "Read News By Default
E-Mail Client" -f 0=*:119:TCP -n ah[sha1]+esp[3des,sha1] PASS -1p -c
:: SMTP connection
ipseccmd -w REG -p "Standalone Local Filter" -r "Send mail by Default
E-Mail Client" -f 0=*:25:TCP -n ah[sha1]+esp[3des,sha1] PASS -1p -c
:: Default E-Mail Client IMAP/S-IMAP connections
ipseccmd -w REG -p "Standalone Local Filter" -r "Default E-Mail Client
IMAP/S-IMAP connections" -f 0=*:143:TCP -f 0=*:993:TCP -n
ah[sha1]+esp[3des,sha1] PASS -1p -c
:: Receive mail by Default E-Mail Client
ipseccmd -w REG -p "Standalone Local Filter" -r "Receive mail by
Default E-Mail Client" -f 0=*:110:TCP -f 0=*:995:TCP -n
ah[sha1]+esp[3des,sha1] PASS -1p -c
:: Gmail connection (Testing)
ipseccmd -w REG -p "Standalone Local Filter" -r "Gmail connection" -f
0=smtp.gmail.com:587:TCP -t smtp.gmail.com:587:TCP -f
0=72.14.253.109:587:TCP -t 72.14.253.109:587:TCP PASS -1p -c
:: LDAP connection
ipseccmd -w REG -p "Standalone Local Filter" -r "LDAP connection" -f
0=*:389:TCP -n ah[sha1]+esp[3des,sha1] PASS -1p -c
:: Time Synchronizer (NTP) onnection (Testing)
ipseccmd -w REG -p "Standalone Local Filter" -r "Time Synchronizer
(NTP) connection" -f 0=192.43.244.18:123:UDP -t 192.43.244.18:123:UDP -
f 0=time.nist.gov:123:UDP -t time.nist.gov:123:UDP -f
192.43.244.18:123:UDP=0 -t 0 -f time.nist.gov:123:UDP=0 -t 0 -n
ah[sha1]+esp[3des,sha1] PASS -1p -c
:: OBSOLETE :: ipseccmd -w REG -p "Standalone Local Filter" -r "Time
Synchronizer connection" -f 0+*:123:UDP -f 0+*:37:UDP -f 0=:37:TCP -f
0=:13:TCP -n ah[sha1]+esp[3des,sha1] PASS -1p -c
:: "SSDP Discovery Service" and "UPnP device Host" services
ipseccmd -w REG -p "Standalone Local Filter" -r "'SSDP Discovery
Service' and 'UPnP device Host' services" -f
0::UDP=239.255.255.250/255.255.255.255:1900:UDP -t
239.255.255.250/255.255.255.255:1900:UDP -f
0::UDP=239.255.255.250/255.255.255.255:5000:TCP -t
239.255.255.250/255.255.255.255:5000:TCP -n ah[sha1]+esp[3des,sha1]
PASS -1p -c
:: Telnet Client connection
ipseccmd -w REG -p "Standalone Local Filter" -r "Telnet Client
connection" -f 0=*:23:TCP -n ah[sha1]+esp[3des,sha1] PASS -1p -c
:: Secure Telnet Client connection
ipseccmd -w REG -p "Standalone Local Filter" -r "Secure Telnet Client
connectionTelnet Client connection" -f 0=*:22:TCP -n
ah[sha1]+esp[3des,sha1] PASS -1p -c
:: Terminal Services Client TCP connection
ipseccmd -w REG -p "Standalone Local Filter" -r "Terminal Services
Client TCP connection" -f 0=*:3389:TCP -n ah[sha1]+esp[3des,sha1] PASS
-1p -c
:: PGP Keys Server connection
ipseccmd -w REG -p "Standalone Local Filter" -r "PGP Keys Server
connection" -f 0=*:11370:TCP -f 0=*:11371:TCP -n
ah[sha1]+esp[3des,sha1] PASS -1p -c
:: Apply the new IPsec policy:
ipseccmd -w REG -p "Standalone Local Filter" -x
:: Check policy and filters settings were applied:
pause
.
- Prev by Date: Re: Using domain laptop on home workgroup network
- Next by Date: Re: Newbie Type Question
- Previous by thread: Limited internet sharing
- Next by thread: Windows explorer over CIFS
- Index(es):
Relevant Pages
|
