block/allow IP ranges w2k8

I would like to block/allow ip ranges with the w2k8 firewall. In principle, the ideas is to block e. g. a huge ip range and by a second rule open it for a sub-ip range of the just blocked one. I tried this with two Inbound rules, but it seems that the first blocking rule "dominates" the second one.

Any ideas?
GeologyETHAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

GeologyETHAuthor Commented:
Thanks. I guess I misunderstand something. As an example, I want to block e.g. the range abc.def.0.0/16 (remote IP addresses), but allow an ip ranges, e.g. abc.def.xyz.0/24.
Thus I created in inbound rule which blocks the range abc.def.0.0/16 and a second inbound rule which allows access for abc.def.xyz.0/24.

But it does not work this way, the range abc.def.0.0/16 and with it abc.def.xyz.0/24 is blocked.

Any idea?
0
Radhakrishnan RSenior Technical LeadCommented:
Hi,

I think you have selected the first opion (I.e - This IP addresses or subnet) but you need to select the second option "This IP address range" then you will be able to provide the from ip range and to ip range.

The same procedure can be applied both allow or denied rule.

Reboot the server to take effect the new settings and see it working as expected.
0
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

GeologyETHAuthor Commented:
yes, I selected "This IP addresses or subnet" to block the subnet abc.def.0.0/16 and for the second rule the same to allow abc.def.xyz.0/24 (and other such ip ranges).
Now I changed in the blocking rule to "This IP address range", i.e. "From: abc.def.0.0" and "To: abc.def.255.255", but this is the same.
0
GeologyETHAuthor Commented:
Ok, I found http://technet.microsoft.com/en-us/library/cc755191%28v=ws.10%29.aspx which tells that blocking rules take precedence. Thus, it's not possible to block and then to re-open.
But does this mean, to be able to block abc.def.0.0/16, except abc.def.xyz.0/24 (and other such ip ranges), needs a blocking rule defining all sub-ranges of abc.def.0.0/16, except abc.def.xyz.0/24?

Thanks.
0
Radhakrishnan RSenior Technical LeadCommented:
Hi,

I believe that the deny rule take precedence even if you except abc.def.xyz. 0/24. Unfortunately i haven't tested this before like this scenario. I use hardware firewall to allow/block ip addresses.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
GeologyETHAuthor Commented:
If it's not possible that way, (how) can a rule restrict the access to abc.def.xyz.0/24 (and other such ip ranges)? Ideas?

Thanks in advance.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.