Archived from groups: microsoft.public.win2000.security (
More info?)
I was responding to the original poster of this thread and asking Herb if he
ever topped out the list being curious. I personally have no need to built
larger filter lists. However it could be handy to be able to do such. For
instance there could be several secured servers in a domain that have an
ipsec require policy and static IP addresses and you have a group of
computers in an OU that you only want those computers to be able to access
the servers using ipsec in the 192.168.1.40 - 192.168.1.60 range. So you
want to create an ipsec policy with negotiate filter action and destination
address of 192.168.1.40 - 192.168.1.60. You of course would have to create
21 entries in the filter list for the rule for the ipsec policy. Maybe not
a big deal but would take some time and could be more prone to error. ---
Steve
"Steve Riley [MSFT]" <steriley@microsoft.com> wrote in message
news:41300632408220999452032@news.microsoft.com...
> Remember that IPsec is really about creating authenticated and
> (optionally) encrypted security associations between a pair of computers.
> Given that primary design goal, it appears that port ranges aren't
> something that's required.
>
> I'm guessing that you'd like port ranges for simple block/allow rules --
> using the IPsec engine as a packet filter. Is that right? Or do you have a
> need for security associations with port ranges?
>
> Steve Riley
> steriley@microsoft.com
>
>
>
>> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
>> news:#nzGTLb9EHA.2196@TK2MSFTNGP11.phx.gbl...
>>
>>> That is interesting. Do you know how many filters can fit into a rule
>>> and how many rules can fit into a policy?? Some user a while back
>>> said he had
>>>
>> so
>>
>>> many filters in a rule that it would not accept any more. I suggested
>>> he
>>>
>> add
>>
>>> a new rule with the same filter action but never heard back from him
>>> to
>>>
>> know
>>
>>> whether that worked or not. I personally never plan to add that may
>>> to
>>>
>> find
>>
>>> out. --- Steve
>>>
>> I have reached no limits -- unless you are thinking of my complaint
>> where at about 1000 rules it was eating up my CPU to invoke the thing
>> -- once it was running it was fine.
>>
>> This may have been (quietly) fixed in some service pack/hotfix.
>>
>>> "Herb Martin" <news@LearnQuick.com> wrote in message
>>> news:OiZekUW9EHA.1084@TK2MSFTNGP15.phx.gbl...
>>>
>>>> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
>>>> news:uCITVjO9EHA.3416@TK2MSFTNGP09.phx.gbl...
>>>>
>>>>> You can not configure a port range in a single filter entry for an
>>>>>
>> ipsec
>>
>>>>> policy. You can either use an IP address or subnet when creating a
>>>>>
>> filter
>>
>>>>> entry for an ipsec rule. --- Steve
>>>>>
>>>> It's one of the serious weaknesses of the IPSec
>>>> filter rules.
>>>> I wrote a "generator" in Perl which builds the
>>>> IPSec rules from a table (sort of) because at
>>>> least one of my machines runs close to a 1000
>>>> rules/filter sets.
>>>> Even this is not a full solution because at a 1000 rules it can
>>>> significantly impact the machines performance for up to an hour when
>>>> the rules are re-applied.
>>>>
>>>> Better would be for the filters to accept such
>>>> information and handle it efficiently.
>>>> -- Herb Martin
>>>>
>
>