That's quite an ambitious undertaking! If I can help with testing (my present profession), feel free to holler. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/authors/harrison/ Read the books! ----- Original Message ----- From: "Max" <max.bene@xxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Tuesday, February 19, 2002 06:45 Subject: [isalist] Re: Packet Filtering on non-default external IP Address http://www.ISAserver.org Hi Jim, There's not a special need... I've tought it would be great for my work to extend some capabilities of ISA server, for example blocking an IP address for a certain time after a Port Scan (just like Firewall-One for example does), or to automatically block traffic with people who tries something like: http://www.worm.com/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNnn... or http://.../scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir or blocking access to the SMTP relayer to those clients who tried a spam... or enhance the log capabilities building a Web based application in order to get a real-time monitoring of traffic... I'm trying to build a full-integrated firewall solution with ISA SDK, MS PLatform SDK and a Web Application for my customers, as I have to remotely support and check their arrays... You're right, for Web worms I use a "deny" Web Publishing rule for All Internal Destination Sets, populating a client address set with those IP addresses... I've thought it would be more appropriated... If you have any suggestion I'd really appreciate... Thanks again Max > It's pretty much a guarantee that any additional decision-making you apply > to any proxy/firewall will affect performance. > I'd also be careful auto-blocking; sometimes a client address set is more > appropriate than a packet filter. > Also, since ISA recognizes many of the more common intrusion attacks and > blocks them by default, what is it you're adding? > > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://isaserver.org/authors/harrison/ > Read the books! > > ----- Original Message ----- > From: "Max" <max.bene@xxxxxxxxxxxx> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > Sent: Tuesday, February 19, 2002 00:55 > Subject: [isalist] Re: Packet Filtering on non-default external IP Address > > > http://www.ISAserver.org > > > Thanx Jim. > I'm trying to develope some addtional features on ISA, for example > Auto-Blocking Spammers, Intruders and Worm attacks on Web Proxy... > This means that I have to create a Packet Filter for each Intruder IP on > each External IP Address of each Server of the Array... > > Can this affect server performance, as each packet has to be checked with > all the filter conditions before being allowed to pass? > > Thanks Again > Max > > > Nope; packet filtering is IP-specific on the external NIC. > > > > Jim Harrison > > MCP(NT4, W2K), A+, Network+, PCG > > http://isaserver.org/authors/harrison/ > > Read the books! > > > > ----- Original Message ----- > > From: "Max" <max.bene@xxxxxxxxxxxx> > > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > > Sent: Monday, February 18, 2002 02:52 > > Subject: [isalist] Packet Filtering on non-default external IP Address > > > > > > http://www.ISAserver.org > > > > > > Hi all, > > I'm getting some trouble with packet filters... > > My ISA has 4 IP Addresses on the external interface, and I've found out > > that blocking traffic with packet filters on non-default IP addresses > > requires filling the "This ISA Server's external IP Address" field on the > > "Local Computer" Tab... > > Is there any way to block traffic on all external IP addresses? > > > > PS: I've tried with the "These computers (on the perimeter network)..." > > option but it doesn't seem to work... > > > > > > > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org Discussion List as: > > jim@xxxxxxxxxxxx > > To unsubscribe send a blank email to $subst('Email.Unsub') > > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > jim@xxxxxxxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')