Internets: Permit IP Ranges in Vista
So, the below post is causing unnecessary blocks? You can create a Permit Filter Action, then create a Filter List that allows addresses. Create a rule, add it to your policy and you’re all set.
We’ll set up the Permit filter action, and the Allow filter list using netsh. But it will be easier to add and remove IPs from the allow list using the IP Security Policy Management snap-in than netsh. Just remember that you can’t manage ranges of IPs with the snap-in, only netsh.
Keep in mind that the “most restrictive wins” rule applies, except this time with an exception due to weight. It’s pretty simple: the more specific the rule, the higher weight it has; the higher weight rule gets applied. So if you have a range you want to allow, you’re going to need to be sure that it does not encompass any ranges that are used by a rule that uses a block filter action. But, since, for example, a single IP is more specific than a range that’s blocked, adding it to a filter that uses an permit filter action will work. phew.
- Create the permit filter list:
netsh ipsec static add filterlist name="IP Permitlist Filter" desc="IP permitlist filter"
- Create the permit filter action:
netsh ipsec static add filteraction name="Permit Filter Action" action=permit
Add the IP to your filter list and add a rule to your policy.
- Start>Run> mmc
- File>Add/Remove Snap-in> Find the IP Security Policy Management snap-in in the available list and add it. With Local Computer selected, click finish.
- Right-click on the IP Security Policy created in the last post.
- Add. This rule does not specify a tunnel, this rule applies to all network connections, highlight IP Permitlist filter.
- Click edit.
- Click add.
- Source is where you want to specify the allowed address.
- Destination is My IP Address.
- Protocol type is Any.
- Bullet IP Permitlist Filter.
- Bullet Permit Filter Action.
- OK. (and people wonder why I use the command line so much)
You can edit/add IP addresses later by editing the filter list.