GeologyETH
asked on
block/allow IP ranges w2k8
I would like to block/allow ip ranges with the w2k8 firewall. In principle, the ideas is to block e. g. a huge ip range and by a second rule open it for a sub-ip range of the just blocked one. I tried this with two Inbound rules, but it seems that the first blocking rule "dominates" the second one.
Any ideas?
Any ideas?
ASKER
Thanks. I guess I misunderstand something. As an example, I want to block e.g. the range abc.def.0.0/16 (remote IP addresses), but allow an ip ranges, e.g. abc.def.xyz.0/24.
Thus I created in inbound rule which blocks the range abc.def.0.0/16 and a second inbound rule which allows access for abc.def.xyz.0/24.
But it does not work this way, the range abc.def.0.0/16 and with it abc.def.xyz.0/24 is blocked.
Any idea?
Thus I created in inbound rule which blocks the range abc.def.0.0/16 and a second inbound rule which allows access for abc.def.xyz.0/24.
But it does not work this way, the range abc.def.0.0/16 and with it abc.def.xyz.0/24 is blocked.
Any idea?
Hi,
I think you have selected the first opion (I.e - This IP addresses or subnet) but you need to select the second option "This IP address range" then you will be able to provide the from ip range and to ip range.
The same procedure can be applied both allow or denied rule.
Reboot the server to take effect the new settings and see it working as expected.
I think you have selected the first opion (I.e - This IP addresses or subnet) but you need to select the second option "This IP address range" then you will be able to provide the from ip range and to ip range.
The same procedure can be applied both allow or denied rule.
Reboot the server to take effect the new settings and see it working as expected.
ASKER
yes, I selected "This IP addresses or subnet" to block the subnet abc.def.0.0/16 and for the second rule the same to allow abc.def.xyz.0/24 (and other such ip ranges).
Now I changed in the blocking rule to "This IP address range", i.e. "From: abc.def.0.0" and "To: abc.def.255.255", but this is the same.
Now I changed in the blocking rule to "This IP address range", i.e. "From: abc.def.0.0" and "To: abc.def.255.255", but this is the same.
ASKER
Ok, I found http://technet.microsoft.com/en-us/library/cc755191%28v=ws.10%29.aspx which tells that blocking rules take precedence. Thus, it's not possible to block and then to re-open.
But does this mean, to be able to block abc.def.0.0/16, except abc.def.xyz.0/24 (and other such ip ranges), needs a blocking rule defining all sub-ranges of abc.def.0.0/16, except abc.def.xyz.0/24?
Thanks.
But does this mean, to be able to block abc.def.0.0/16, except abc.def.xyz.0/24 (and other such ip ranges), needs a blocking rule defining all sub-ranges of abc.def.0.0/16, except abc.def.xyz.0/24?
Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
If it's not possible that way, (how) can a rule restrict the access to abc.def.xyz.0/24 (and other such ip ranges)? Ideas?
Thanks in advance.
Thanks in advance.
Here you go http://www.studyblog.net/2011/10/block-ip-address-or-ip-range-in-windows-server-2008-by-windows-firewall/ and https://support.gearhost.com/entries/24163751-Block-IP-address-with-Windows-Firewall-2008-2012
I hope this helps.