Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 2 answers
  • Subscribers 4 subscribers
  • Views 3083 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

GEO IP or Country Blocking is not working (again)

Argo

Hi All,

I have just logged a ticket, but was just wondering if anyone else has noticed this, I use a UTM to block ALL countries except for a few EU, but the server behind is seeing Asian IPs getting through, along with a few others.

 



This thread was automatically locked due to age.
  • 0

    Did this resolve itself?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0

    I have been using country blocking for some time.   It has been reliable for me, but it was difficult to understand the configuration rules.   (I found the help text confusing.)

    For Exceptions:

    • If the specified host or IP is internal, a country list MUST be specified  (ALL is of course one of the options).
    • If the specified host or IP is external, the country list MUST BE EMPTY.  (ALL is NOT an acceptable option.)

    If you specify a country list when the specified host/IP is external, the rule is ignored.  I assume your problem is of this type

    Additional thoughts:

    Outbound Web Traffic

    Because some websites are hosted in multiple places around the world, you may have some surprises with the country assignments.   A host name with .RU may not be in Russia, and an IP address assigned to Russia may be using a .COM or even a .BR host name.   Blocking FROM countries is generally less problematic than blocking TO Countries.

    Email Inbound

    I also exclude SMTP from country blocking in UTM, then block specific countries in my spam filter.   This provides better insight into what email is being blocked, which can be important when trying to understand why a desired message is not being received.   Of course, this assumes that you have a satisfactory spam filter, and I have found the UTM spam filter unexciting.   Currently, UTM is my third spam filter in sequence, after Declude from Mail's Best Friend and a Barracuda appliance.  Declude has the best rules engine.   Barracuda has good content filtering and message log.   UTM catches some junk that slips through the other two, and the weakness of its message log has been offset by rigorous log file parsing.

  • 0 in reply to BAlfson

    Hi  

    what I did was to stop and restart the service and all is working as it should now.

    maybe a pattern update cause it to pause or something. not sure what.

     

    thanks for checking back. 

    XG & UTM Architect (Systems: XG v18 & UTM 9.7 - Virtual, HW & SW)
    Curious enough to take it apart, skilled enough to put it back together, Clever enough to hide the extra parts when I'm Done!

  • 0 in reply to DouglasFoster

    Hi  &

    I decided to revisit this, I was not entirely happy plus also I was getting a report everyday giving the same IPs that were giving issues before. I have been using this for some time, and mostly without issue. 

    the IP Ranges in question;

    103.145.12.0/24, and

    103.145.13.0/24

    both are categorised on GEO IP Lookup site as either India or Netherlands.

    I had three rules, Country blocking, Drop Rule & Blackhole route.

    I have logged 2 tickets with Sophos, they said it is all working as it should, that is until this command is run from ssh -

     

    geoiplookup <ip address>

    this will return the country where the IP is registered.

    well it seems that the range I mentioned before are not even categorised within the Country Blocking DB - the output is

     

    GeoIP Country Edition: IP Address not found.

    thus because it is not categorised as belonging to a country it will bypass the Country Blocking, get through the DNAT rules and does not even touch any drop rule or blackhole routes.

    I have also just tested this on the XG, the XG also uses the same DB which also does not have them categorised.

    I hope that helps, it seems that Maxmind has not had these IP address ranges categorised at all for over a month now (at least).

     

    hope this helps you out, and anyone else reading this article.

    XG & UTM Architect (Systems: XG v18 & UTM 9.7 - Virtual, HW & SW)
    Curious enough to take it apart, skilled enough to put it back together, Clever enough to hide the extra parts when I'm Done!

Unfiltered HTML