Security
Thursday, July 11, 2002A tricky bit about Microsoft's IPsec filters
Say you have two rules. One says, from my address to any address, deny. The other says, from this address to any address, permit. The rules intersect, since "this address" is a member of the class "my address." For some reason, the denying rule takes precedence.In order for the rules to not interfere, a port number needs to be specified.
Why is this annoying? Because the more specific rule should take precedence, otherwise the generic rule won't work. In this case, however, the class "My Address" is both all local addresses and this address. The class "My Address" doesn't just contain the class "This Address": It is the class "This Address."
1:41:05 PM # Google It!
categories: Security, System Administration
