Using the rule below i see unexpected behavior in the logs. The log excerpt shows three connections. Each of these connections is from a country that is blocked. The rule seems to block all other protocols from blocked countries except SMTP. It allows a lot of SMTP traffic that it should not. The three entries are from Argentina, Japan, and China. The mouse over is from the email that originated in China.
For Services, which are open (like SMTP because of MTA) you need a blackhole NAT. See: https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/RulesAndPolicies/FirewallRules/FirewallRulesCountryBasedRuleCreate/index.html
If you have any active web application firewall (WAF) rules, the country-based firewall rule won't work. In this case, create a black hole DNAT rule and add the country you want to block as Original source. See Create a black hole DNAT rule.
__________________________________________________________________________________________________________________
I'm especially stayed aware of the article and I will get many benefits from it. Subsequently, thank you for sharing it. garageband
I've been working with the documents you sent. my Blackhole NAT never reports any traffic
I also explicitly blocked some IP ranges using the Rule & DNAT Rule. I can confirm that I still receive email from addresses within the range
The DNAT should at least show Traffic. If not, it seems not to hit because of the criteria. Check again the packet capture, if the traffic does not apply to your Rules.
I have the subnet 185.221.66.0/24 Blocked as part of my drop rule and my DNAT. Below are the packet captures of the email still flowing in. I have left the DNAT up for various periods of time. It has yet to record a single hit
Seems like the NAT does not hit. Try to change the Destination IP to your WAN IP and restrict it to SMTP.
DNAT Remains zero hits, I still see SMTP traffic passed by the drop rule. all other traffic is blocked as expected by the firewall rule.
Where did you place the Blackhole NAT rule? Could you try "top" placement?
OK, That works. Since the NAT rules don't have a way of moving them, i wasn't thinking the order mattered. I just hit add rule and it places it at the bottom.