Windows 2008 Firewall IP Range

Question

I've got a port exception that I've added to Windows Firewall. And under Scope, I'm able to add specific IP addresses allowed, each separated by a comma. The problem is, how can I enter a range of IPs?

I don't mean 192.168.1.0/24 kind of thing. I have a user who's IP keeps changing, and they're located in Austria. Their IP is always 91.113... I'd basically like to allow that.

Or, is there a better solution? I'm not keen about opening up such a wide range of IPs but his IP is changing daily and is really frusterating for everyone. Our dynamic IP here at the office in Canada only changes every 4 months, so I was hoping that it wouldn't be a big deal to restrict.

Thanks for the insights.

score 1 · Answer 1 · answered Sep 15 '09 at 16:58

1

You're right that it's not the best solution however if you need something quick and dirty then you could try a wildcard, for example 91.113.*.*

answered Sep 15 '09 at 16:58

Marko Carter

4,092
1
30
38

thanks Marko I'll use that until I can solve it more appropriately with something like DynDNS. – Scott Klarenbach Sep 16 '09 at 16:52
I get a "Format Not Valid" message when trying to implement wildcards. – Scott Klarenbach Sep 16 '09 at 17:09
if it's always 91.113.*.* you can use 91.113.0.0/16 – Daniel Dec 17 '09 at 15:27

score 1 · Answer 2 · answered Sep 15 '09 at 17:40

Maybe you could get him set up with DynDNS which can use the router or a program installed on one of his computers (if the router doesn't natively support DynDNS)to keep a DNS name of his dynamic IP always updated. For instance, I use DynDNS for a small client of mine (using their simple LinkSys WRT54G that has DynDNS support built in) and I always know that smallclient.DynDNS.org (not actual domain name) is their IP. You could then do a reverse query every morning on the DNS name that you set up for him and have his true IP address. I'm sure it could be scripted on your server to reverse query that domain name, add the proper IP exception and scrub the old exception every 12 or 24 hours.

Kinda slipshod... but then isn't that what most IT projects end up being anyway? =)

score 1 · Answer 3 · answered Oct 02 '09 at 13:35

1

I hope I don't talk nonsense now, but wouldn't be 91.113.0.0/16 a correct notation? It's of course not the "real" range, but should cover your needs.

answered Oct 02 '09 at 13:35

Christoph Schmidt

56
4

score 0 · Answer 4 · answered Sep 15 '09 at 17:31

0

I'd be wary about opening a range of addresses, especially since they are public addresses doled out to anyone who uses the same ISP. What are the chances of getting a static address from the ISP?

answered Sep 15 '09 at 17:31

joeqwerty

109,901
6
81
172

unfortunately a static ip is not avail. – Scott Klarenbach Sep 16 '09 at 16:51

score 0 · Answer 5 · answered Nov 17 '09 at 14:26

There is certainly a better solution; don't base your security on IP addresses, try to find something else - a certificate token, username/password, ...

For the situation as is I see no other solution as playing with dynamic DNS as already suggested, or opening your firewall a lot - to cover all possible IPs you need. This is where you should ask yourself if it's worth; what security you still have then?

Windows 2008 Firewall IP Range

5 Answers5