Alexander,
I think you are correct that IPSec could be used as a stateless packet
filter to deny traffic from explicit IP addresses. I shouldn't have
lumped it with the other ones in my summary. I didn't know you could
use IPSec this way without running it on clients as well. After going
through your first link, looks to me like it would work for what I
need. I also found that there is a PG Lite version of peer guardian
that is a stripped down version. I think the PKTFilter and PG Lite
are the best solutions for me. They are both very simple and adding
IP addresses to the deny list is as easy as editing a text file.
With IPSec it took about 20 forms to do it interactively. Probably
could do it with the command line util ipseccmd.exe one quicker.
Thanks for the links.
Greg
On Sat, 8 Jan 2005 22:09:00 +0300, Alexander Suhovey
<asuhovey@mtu-net.ru> wrote:
Regarding IPSec filters - don't know why you desided that there's no deny
capability. You can create a filter to block certain types of traffic
to/from sertain set of IP address, subnet or DNS name.
Here's a couple of links on topic. First is good example of GUI-based
configuration of IPSec filters while second talks command line.
How can I block a Windows 2000/XP/2003 computer from surfing on the Internet
but still allow it to surf to Intranet sites?
http://www.petri.co.il/block_internet_but_allow_intranet_with_ipsec.htm
How to block specific network protocols and ports by using IPSec:
http://support.microsoft.com/default.aspx?scid=kb;en-us;813878
Hth,
Al
-----Original Message-----
From: G Farnham [mailto:gfarnham@gmail.com]
Sent: Thursday, December 30, 2004 1:27 AM
To: security-basics@securityfocus.com
Subject: Simple Firewall: Summary
Thanks for all the responses. Summary below.
Followup question:
Are there any good tools for testing firewall performance.
Specifically in terms of latency added by firewall.
Summary:
1) This looks like best solution for me
Try PktFilter
http://www.hsc.fr/ressources/outils/pktfilter/
2) This one looks viable also
ou may be able to use peerguardian... A firewall of sorts for
peer-2-peer apps that uses a deny list to prevent the
FBI/RIAA/MPAA etc.
from snooping your shared files. You should be able to pick
that up at http://www.methlabs.org/methlabs.htm
3) recommendations for commercial firewalls would probably
work, some recommended ones are:
Kerio
tiny firewall
sygate
4) Win Remote access service RRAS
I think this would work, but more overhead than I want
4) Use windows IP filtering, Win2003 SP1 (like XP SP2
firewall), IPSec white list I don't think any of these meet my needs.
I need a deny capability. Permit or White list will not help
me as the service (game server) needs to be open to the public.
As far as I know, built in IP filtering is "permit only" not
deny capability.
XP SP2 firewall has no way to define a deny list for source IP.
[If I have any of this wrong, feel free to correct me, but
please provide details on how to do it or where to see it]
GDF
