I want to block all traffic originating from an external IP. However, with everything revolving around 'publishing' I'm not sure where id do this. Basically I'd like the exact same thing as the default 'deny' system rule, but that is specific to a set of IPs that I can move up in the rules list. However the 'All Traffic' option is not available on the protocols tab like it shows in that system rule.
P.S. I swear I posted this once already last night but couldn't find it anywhere when I checked for responses today.
I don't know how your ISA is configured, but normally to restrict access first you need to allow access(unless you're doing some hardening of the default system policies). If you have used a publishing rule to publish something, check the From tab of this rule, and there there is an Exceptions option where you can add your set of blocked IP addresses.
Yes, I know deny is by default. However, correct me if I'm wrong but I don't think listing an IP in an exclusion will block it, it simply means the rule will not apply to that traffic and it will move down to the next rule.
I've got a number of publishing rules and I don't want to add an exclusion for each one of these in order to let this traffic I want to block get all the way to the system deny rule.
Plus, I'd prefer this to be it's own block rule where I can put it at the top of my rules and not have to worry about the ordering of the other rules.
As for steves question from the other post on why I would want to do this: consider the example of downloading some of the these "country" network sets to block an entire countries ip traffic. That's not my primary reason, but you get the idea. I just want to be able to block traffic if I've manually identified it as bad.
if you got a server publishing rule for SMTPS, then one for POP3S... and add exclusions to the SMTPS rule, traffic from exclusions to IP address:SMTPS port will get blocked by the SMTPS rule, traffic from exclusions to IP address:POP3S port will "pass" over the SMTPS rule to the POP3s rule...
The clean way to do it will be on each publishing rule. How many of these do you have by the way that is so "complicated" to add the set of blocked IP addresses(which you defined only once and apply to every rule), and once you've added to every publishing rule then you need to update as you may like only that block of IP addresses and not every publishing rule ?
Another "dirty" way and possibly dumb way(I've try it only in my lab some time ago as part of a distraction) is to create an access rule for the needed protocols set to deny on top of other rules from the needed set of blocked IP addresses to localhost. As far as I remmeber, this will apply for example for SMTPS, POP3S... but not for HTTP if you have a web server publishing rule or so. By needed "protocols" I mean the ones you used within your publishing rules.
Thanks adimcev, but either I'm missreading your example or it is incorrect. Exceptions (i mistakenly said exclusions earlier) are NOT blocked unless the traffic manages to fall all the way thru the rules to the default 'deny' system rule. In otherwords, traffic that matches an exception will basically have the same access that it would if that rule was not there at all.
I want the 'dirty' way here. We have multiple rules and we're adding new ones all the time for a new ssl site or server etc and I don't want this additional exception to be required by every new rule.
But is this so dirty? I basically want a copy of the system 'deny' rule but I want to add some additional parameters to it but it's 'all traffic' is something that is not user selectable inside of a normal accesss rule. Blocking traffic by IP is the fundamental concept of any firewall isn't it? Or am I hanging on to my old layer 2 ideas a bit too tightly?
Let me see if I understand you, so let's "syncronize" a little bit. ISA default, no publishing rules.
You create a publishing rule to publish say a SMTPS server. Now, SMTPS traffic from anywhere to the SMTPS server is allowed, like anywhere -> IP address used to publish the SMTPS server:SMTPS port. Everything else is implicitely denied. But you want to allow SMTPS traffic from anywhere(actually the External Network) except a set of blocked IP addresses. With ISA, like with any good firewall, you can work with "firewall objects", and in your case you want to work with "network objects". You have some options here, a good one is the "Computer Set" where you can add single IP addresses, address ranges or subnets. You create such a computer set for your blocked IP addresses. And you add this set to the From tab of your SMTPS publishing rule in the Exceptions area. Now when SMTPS traffic comes from that set of IP addresses it does not match your SMTPS rule and it will be implicitly blocked as is not allowed by any rule. Next you create another publishing rule to publish say a POP3S server. You want the same thing for this rule for your set of blocked IP addresses. That's easy, you add that set to the From tab of your POP3S publishing rule in the Exceptions area. And the POP3S traffic comes from that set of IP addresses does not match your POP3S rule and it will be implicitly denied. And your firewall rules, like any good firewall rules allow only the minimum, the rest being implicitly denied by the default rule.
However you are not happy with this type of "blocking". You want to explicitely block the traffic with a rule on top of the others.
As already said, create an access rule like: Rule No 1 Action: Deny From: Blocked Set of IP addresses To: Localhost Protocols: STMPS, POP3S If I remember correctly, if you have a web publishing rule(HTTP), if you add HTTP too within your deny rule, the deny will not work at the "TCP level"(just in case you try with telnet)-sorry for not being too explicit-, but eventually the requests will be blocked.
I've called this the dirty way because I do not remember to have seen it documented on Microsoft's site, and if so, you should test and use it at your own very risk.
Yes I think we're sync'd . Yes if I want to deny access to smtp I would add the denied ip to the exception. But I want to deny access to everything which means i have to add this exclusion to EVERY rule. Yes I realize that I could create a computer set and I only have to do this once per rule, but I guess this has turned into a bit of a quest for me to understand why things are the way they are. Blocking an IP is probably the simplest task you can perform on any layer 2 firewall. I look at an application layer aware firewall like ISA as just having extra features that allow you to create additional rules based one the protocol level rather than just the IP level, giving that finer granularity. But I'm somewhat confused on why such a firewall would hide or remove what I consider basic functionality. Again, maybe I'm hanging on to my old layer 2 firewall a bit to tightly, but "block an IP" just feels like it should be simple.
The problem with access rules is that they seem to be based on outbound traffic. I've not been able to create an access rule yet that does what I want so specific instructions would be very helpful if you think it would work and have the time.
The logic may be: no need to block something that you have not allowed, and this logic should be behind any good firewall. On such a firewall, the firewall rules allow only what's needed, everything else being implicitly denied. In your case, since you do not allow traffic from that set of IP addresses on any of your publishing rules, this traffic will be implicitly denied.
Some background on ISA's access/server publishing/web publishing rules:
If you want to experiment with that "dirty" way, you can make a little test like: - use a server publishing rule to publish say a SMTPS server, use a "dummy server" behind ISA as the published server, it does not have to be able to respond to your requests, probably it will just send a RST segment, leave the From tab to anywhere, don't use exceptions either. - test that rule with telnet from an external host: telnet "public IP address used within the server publishing rule" "SMTPS port" - watch the live logging on ISA, the connection should be initiated. Your telnet connection would probably get closed(due to reset). - create a top access rule(No 1) Action: Deny, From: IP address of your external test machine, To: Localhost, Protocols: STMPS, All Users. I suppose you can try to replace SMTPS with all outbound traffic. - telnet again from your external machine and watch the live logging on ISA. The deny access rule should block you now.
My recommendation though, would be to contact Microsoft and see what they have to say, as after that you may have something solid(a best practice or so) to go into production with.
Ok, I feel a little dumb. It turns out that all this took was an access rule with: Protocols: "All outbound traffic" From :Blocked IPs (computer set) To: All networks.
I think the reason it didn't work the first time is because my test connection (I started with http) was still open when I applied the change and I didn't give it a chance to close, which means I was using a connection that was opened before it's traffic was denied. Simply waiting until I got the "Closed Connection" in the log and then testing again was all it took :P.