I'm trying to setup Windows Server 2008 R2's firewall so that it blocks all traffic except traffic originating from US IPs. The current inbound firewall policy is setup as follows:
- Block a few ports (from everywhere)
- Allow a few ports/services (from everywhere)
- Apply default action (block)
So I need to add some logic above the allow logic. I read through Microsoft's documentation at: http://technet.microsoft.com/en-us/library/ff602923 and saw that block rules are applied before allow rules — so as I see it I have a couple of options:
- Create one massive block rule that blocks all non US IPs
- Create a block rule for each country/continent/… with all IPs for that region (basically the same as option 1, just making more rules for easier management.)
- Create one massive accept rule that allows only US IPs
I'd prefer to go with the third option since it should result in a smaller rule set. However, my concern is that if I create a default "accept everything from the US" rule, it will override the default block actions — and allow users in the US to hit things inbound that were previously blocked by the default action.
So — has anyone setup something like this before? If so, what route did you choose?
Edit: I know I could go to each allow rule and restrict each one with a list of US IPs. Let's assume I don't want to do that, as it creates a much bigger headache.
Best Answer
I think that you need to seriously re-evaluate what you're trying to do if you're concerned about which order your firewall rules are in. This is going to be a complete logistical nightmare. Based on what you've outined, option 3 does sound like the best.