Bug ( error ) in IP Security Policy , is there a patch /fix for th

[Guest Bill Simard]

I am running 2000 Server and in the IP security policy I can add IP ranges to

block,

ex. 77.0.0.0 with a subnet mask of 255.0.0.0 to block the entire

77.0.0.0-77.255.255.255 range, but

 

When I try to do this for the higher ranges, ex: 193.0.0.0 with a subnet

mask of 255.0.0.0 to block the entire 193.0.0.0-193.255.255.255 range, it

will not work.

 

It gives me an Invalid Net Mask message and will not let me go any farther.

 

I tried this on XP and XP has no problems accepting the higher ranges.

 

I tried exporting the policy from XP to 2000, but it will not work.

 

You can go from 2000 to XP, but not vice-versa, must be a compatibility thing.

 

Does anyone know if there is a fix for 2000 that addresses this issue?

 

Is there a way to submit this to MS as a bug and not a pay for support issue?

 

Is there a way to manually edit the ipsec policy file ?

 

I looked at it with a hex editor, but it is encrypted or written in machine

code that I can't make heads or tails of.

 

Any help would be greatly appricated.

 

Thanks

 

Bill

[Guest kbits.net]

It's not a bug it is in the TCP/IP design. The problem is that you are trying

to use a Class A subnet mask with a Class C IP address range. For Class C

address range the default subnet mask is 255.255.255.0. There are only

certain subnet masks you can use. For Class C there are a handful such as

255.255.255.192. There are sites that discuss subnetting and Cisco books on

the subject as well.

 

Hope this helps

 

"Bill Simard" wrote:

<span style="color:blue">

> I am running 2000 Server and in the IP security policy I can add IP ranges to

> block,

> ex. 77.0.0.0 with a subnet mask of 255.0.0.0 to block the entire

> 77.0.0.0-77.255.255.255 range, but

>

> When I try to do this for the higher ranges, ex: 193.0.0.0 with a subnet

> mask of 255.0.0.0 to block the entire 193.0.0.0-193.255.255.255 range, it

> will not work.

>

> It gives me an Invalid Net Mask message and will not let me go any farther.

>

> I tried this on XP and XP has no problems accepting the higher ranges.

>

> I tried exporting the policy from XP to 2000, but it will not work.

>

> You can go from 2000 to XP, but not vice-versa, must be a compatibility thing.

>

> Does anyone know if there is a fix for 2000 that addresses this issue?

>

> Is there a way to submit this to MS as a bug and not a pay for support issue?

>

> Is there a way to manually edit the ipsec policy file ?

>

> I looked at it with a hex editor, but it is encrypted or written in machine

> code that I can't make heads or tails of.

>

> Any help would be greatly appricated.

>

> Thanks

>

> Bill

> </span>

[Guest Alun Jones]

"kbits.net" <kbitsnet@discussions.microsoft.com> wrote in message

news:621E9825-9087-49AA-9571-EA3C20083E83@microsoft.com...<span style="color:blue">

> It's not a bug it is in the TCP/IP design. The problem is that you are

> trying

> to use a Class A subnet mask with a Class C IP address range. For Class C

> address range the default subnet mask is 255.255.255.0. There are only

> certain subnet masks you can use. For Class C there are a handful such as

> 255.255.255.192. There are sites that discuss subnetting and Cisco books

> on

> the subject as well.</span>

 

I have to respectfully disagree with you there - even in the days of Windows

2000, there was CIDR - Classless Inter-Domain Routing - in which the first

octet does NOT specify the subnet mask to be applied.

 

Even if that were not the case, the filtering range is something akin to a

router range - though it looks like a subnet mask, it is not a local subnet

mask, and therefore should assume that it's possible that the mask implies a

range that extends across more than one subnet.

 

Having said that, I doubt that you'll get much impetus behind persuading

Microsoft to fix an operating system that is rapidly approaching its

ten-year anniversary. In OS years, that's akin to too old to be worried

about getting a bikini wax to make yourself more attractive to the young

boys. While 2000 may not be quite end-of-life, it is at least winding down,

and you'll find that Microsoft isn't willing to make fixes that aren't

better addressed some other way. Wouldn't it be cheaper to buy a simple

off-the-shelf honest-to-goodness firewall to plug in front of the server?

 

Alun.

~~~~

--

Texas Imperial Software | Web: http://www.wftpd.com/

23921 57th Ave SE | Blog: http://msmvps.com/alunj/

Woodinville WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.

Fax/Voice +1(206)428-1991 | Try our NEW client software, WFTPD Explorer.

[Guest kbits.net]

Re: Bug ( error ) in IP Security Policy , is there a patch /fix fo

 

As I noted in the end of my post go to an expert source. Pick up a Cisco book

and go to the section on subnet masks and address classes. Don't rely too

heavily on we tech forum eggspurts. Many of us have no certs or educ in the

subject we offer expert advice in. Many are thus insecure and slam those who

did educate and certify themselves. In the end the person who requested the

help received none. But at least an ego was fed. And isn't that the purpose

of this place? Feeding egos?

 

"Alun Jones" wrote:

<span style="color:blue">

> "kbits.net" <kbitsnet@discussions.microsoft.com> wrote in message

> news:621E9825-9087-49AA-9571-EA3C20083E83@microsoft.com...<span style="color:green">

> > It's not a bug it is in the TCP/IP design. The problem is that you are

> > trying

> > to use a Class A subnet mask with a Class C IP address range. For Class C

> > address range the default subnet mask is 255.255.255.0. There are only

> > certain subnet masks you can use. For Class C there are a handful such as

> > 255.255.255.192. There are sites that discuss subnetting and Cisco books

> > on

> > the subject as well.</span>

>

> I have to respectfully disagree with you there - even in the days of Windows

> 2000, there was CIDR - Classless Inter-Domain Routing - in which the first

> octet does NOT specify the subnet mask to be applied.

>

> Even if that were not the case, the filtering range is something akin to a

> router range - though it looks like a subnet mask, it is not a local subnet

> mask, and therefore should assume that it's possible that the mask implies a

> range that extends across more than one subnet.

>

> Having said that, I doubt that you'll get much impetus behind persuading

> Microsoft to fix an operating system that is rapidly approaching its

> ten-year anniversary. In OS years, that's akin to too old to be worried

> about getting a bikini wax to make yourself more attractive to the young

> boys. While 2000 may not be quite end-of-life, it is at least winding down,

> and you'll find that Microsoft isn't willing to make fixes that aren't

> better addressed some other way. Wouldn't it be cheaper to buy a simple

> off-the-shelf honest-to-goodness firewall to plug in front of the server?

>

> Alun.

> ~~~~

> --

> Texas Imperial Software | Web: http://www.wftpd.com/

> 23921 57th Ave SE | Blog: http://msmvps.com/alunj/

> Woodinville WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.

> Fax/Voice +1(206)428-1991 | Try our NEW client software, WFTPD Explorer.

>

>

> </span>

[Guest FromTheRafters]

Re: Bug ( error ) in IP Security Policy , is there a patch /fix fo

 

"kbits.net" <kbitsnet@discussions.microsoft.com> wrote in message

news:D9248071-889A-4BFD-87FC-5C83D2FC5E6D@microsoft.com...<span style="color:blue">

> As I noted in the end of my post go to an expert source. Pick up a Cisco

> book

> and go to the section on subnet masks and address classes. Don't rely too

> heavily on we tech forum eggspurts. Many of us have no certs or educ in

> the

> subject we offer expert advice in. Many are thus insecure and slam those

> who

> did educate and certify themselves. In the end the person who requested

> the

> help received none. But at least an ego was fed. And isn't that the

> purpose

> of this place? Feeding egos?</span>

 

Evidently.

[Guest Bill Simard]

Re: Bug ( error ) in IP Security Policy , is there a patch /fix fo

 

I did find a way to manually edit the HEX code and block the ranges, but what

a pain. What's worse is, as soon as I blocked the asian IP's, I started

getting attacked from US IP's.

 

I tried notifying the ISP's of the attacks, but they really don't care and

there must be millions of these attacks every day from what they said.

 

It's amazing no law enforcement agency is working on this because it is a

HUGE problem.

 

I went out and bought 2 hardware firewalls, and they are a pain to set up,

but I don't have a choice.

 

I noticed that MS was not sending me notifications when there were replies

here.

 

I also noticed the links don't work from their e-mails. I guess that's a

few more bugs for them to fix.

 

I prefer going straight to the newsgroups using a server, but all the ISP's

in my state pulled the plug on them after the state told them they had to

police every post.

 

My ISP was one of the last to go, they were checking every posting, but it

got to be too much for them.

 

I like 2000 server only for the fact that it does not have that stupid WPA

stuff.

 

I've had to redo the server several times this month and if I had 2003 or

2008 I would no longer be able to activate it. I think you get 2 tries and

then you have to buy the product again.

 

I went though that with XP and my home machine.

 

I had to get a new license and now it's downloading the malicous software

removal tool and genuine advatnage every few days, without asking and I have

auto updates turned off.

 

The only way I know it has downloaded it, is when I turn off the computer it

says installing updates.

 

Makes my heart go in my throat every time. I'm waiting for the day it says

it is no longer valid.

 

That's what it did last time.

 

I know they don't want their product stolen, but for those of us that do

re-installs and upgrades it makes our life hell.

 

Bill