Windows Software Firewall

IPsec can set rules to block packets by port, protocol, IP and Subnet inbound or outbound.

IPsec is just a packet filter.

What is a firewall?

A firewall protects networked computers from intentional hostile intrusion that could compromise confidentiality or result in data corruption or denial of service. It may be a hardware device or a software program running on a secure host computer. In either case, it must have at least *two network interfaces*, one for the network it is intended to protect, and one for the network it is exposed to.

A firewall sits at the junction point or gateway between the two networks, usually a private network and a public network such as the Internet. The earliest firewalls were simply routers. The term firewall comes from the fact that by segmenting a network into different physical subnetworks, they limited the damage that could spread from one subnet to another just like firedoors or firewalls.

May I say, that's a stupid idea. You'll create your very own Denial of Service condition with that.

For obvious threats, there's no need to block them. Just make them ineffective by design. F.E., you oh'so'bad dictionary attack is easily countered by choosing secure passwords.

IPsec is not even a packet filter. After all, he should be even lucky that he's running Windows Server 2003 where you're allowed to disable all internal exemption rules (Kerberos, multicast traffic...), and still you'll let IPsec traffic through. Really bad idea to abuse the IPsec filtering rules as a pure packet filter.

What about using IPFilter or the RAS firewall? Or, since it was a stupid idea anyway, the Windows Firewall?

You're able to do that with the Windows 2003 Firewall:

Yours, VB.

Where did I say anything about abusing IPsec? I would assume that OP is looking for a solution to be used in a supplemental role, like I use Ipsec in a supplemental role to block packets.

What about them? Why not?

And you're going to have to show some valid proof to support your claims about IPsec being a bad idea when the documented links that have been provided say that's not the case with IPsec being able to filter packets. I don't want any lip-service now, but rather, show some documented proof, because I am just not going to take your word on it.

If you start going off the deep end with this, I am going to drop you and the conversation like a hot rock in Hell.

Trivial: IPsec doesn't do the job. It always leaves open at least one port for IKE traffic (usually UPD 500, but sometimes also TCP 4500) as well as IP protocols 50 and 51.

And, if we're talking Windows, you have to disable the default exemptions as well, or you'll additionally let bypass some other kinds of traffic. Before Windows Server 2003, it wasn't even possible to disable all those exemptions.

And I am telling you that you can set rules to block those ports. So, if I set rules to block those specified ports you're talking about with IPsec, then what the heck are you talking about?

I can use IPsec in a FW like manner or a packet filtering like manner to block packets inbound or outbound on ports by port, protocol, IP and subnet.

You are making no sense.

And I am also telling that what you have stated above will not hold water with me. No way and no how have you proved anything with valid proof -- documented proof.

Once again, you show some kind of valid proof that IPsec that's running on the MS NT based O/S is bad idea. I don't see anything coming from you but lip-service. I don't see your evidence.

What? Are you incapable of reading the information in the links.

Dispute the information in the links with other solid information to dispute it, to support your claims about how IPsec cannot do the job and cannot not be used in a FW like manner that is being talked about in the links.

Man, I don't want lip-service from you.

Well, why don't you simply try that and see how this fails? The GUI and the command line interface won't even let you create such rules, and when you manually write them to the registry they won't be loaded / won't work.

Ehm... that these rules don't work? That your "if" won't even be fulfillable?

Ok, then what about *you* actually reading the documentation then?

D'oh, first hit on Google for "IPsec default exemption":

short summary: you cannot filter IKE and ESP/AH traffic at all, you cannot filter multicast and broadcast traffic on Windows 2000 and XP

Why do you believe that authors of the linked articles have any clue what they're doing? Obviously they fell, just like you, for the perception of it working as intended, but never bothered to actually audit, which would have showed them that it doesn't work as intended (but has some exemptions, which punch holes into the "firewall"). Well, most likely one copied from the others without thinking about it. Dunno who originally had this stupid idea then, was is SANS-ICS?

Well I did when I told Ipsec to block all ports.

Yeah right, you are such the authority aren't you?

I suggest you do the same, because I am using IPsec have been using IPsec in a supplemental role.

Do you know what FW like manner means?

The Internet Protocol Security (IPsec) feature in Windows 2000, Windows XP and Windows Server 2003 was not designed as a full-featured host-based firewall.

I have said in previous posts to you that Ipsec was to be used in a supplemental fashion.

Your head is so hard it's un-believable.

Trivial: I don't care about that as long as I can block by IP or port period, which I can do.

And you're some kind of an authority?

Yes, I forgot you're Superman and you know it all and you're the supreme authority.

You have not proved anything and you're on another planet.

Know this that's a soft logical . I am already tired of you and I am through with you for now. I sure you'll strap on the cape and fly in on something else you don't like in the future.

With bestows the mentioned exemptions. And trying to explicitly add such rules will fail.

I am. At least I am able to read the documentation.

Quite the contrary. But you should better re-read the postings.

OK, then how exactly do you want to block port 500/UDP? And well, it will be open, due to using the IPsec service.

I have proved you wrong. Trivially. You not accepting this doesn't change anything.