Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 41 subscribers
  • Views 19335 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Inbound Blocking

EdDe Sousa

I'm trying to get the firewall to block inbound connections. I can not get it to block anything inbound. I have attached a screenshot of the rule I have in place at the top of the policies. This did work with UTM 9.

Has anyone else seen this happening?



This thread was automatically locked due to age.
  • 0
    I have investigated this myself a little further. It seems the the placement of rules within iptables when creating rules is the issue. It seems that the rules that XG puts into iptables takes precedents over user rules. When I manually add a rule to iptables I can block inbound connections. At this poin blocking countries or access to other services is not happening when using the web interface.
  • 0
    Hi EdDe Sousa,

    Can we make sure there are no other conflicting rules above.

    From the policy you created what is accomplished is:
    Drop "SSL VPN + the others listed" services going to any zone, when in "WAN" zone, and coming from any network, destined to the IP addr. on port2. Is this correct? So when you simulate traffic it is destined to the IP addr. assigned on Port2
  • 0
    Apologies for the last response, I did not see your update in the comments section. So now what you are stuck at is country blocking is not working properly?
  • 0
    As with UTM 9, all traffic is dropped by default. There is no need to add a "bucket" drop rule, as no traffic of any kind is allowed until a rule is created to allow it.
  • 0 in reply to DanIngling
    I know that blocking is enabled by default but there is a need to block certain things.

    I have WAF configured and I know I can deny access there to certain sources but I noticed from the WAF logs that there are attacks happening against the sites I do have configured. I would still like the ability to block at the firewall level and not at the WAF level.

    I have included some logs below as an example. Call it paranoia but why allow someone access to potentially try something. I'm not sure since I haven't really investigated the stuff below but it is some sort of spoofing happening.

    2015-12-16 23:33:50
    -
    208.52.161.177
    /phpmyadmin2/scripts/setup.php
    -
    -
    301
    47
    408
    17071
    0

    2015-12-16 23:08:59
    51.254.206.142
    188.68.224.62
    /httptest.php
    -
    -
  • 0 in reply to EdDe Sousa
    Hi there,

    in UTM 9 there is an easy way to do this task. Just create a dnat rule with a destination to a fake ip. Try it with XG.

    Regards
    mod
Unfiltered HTML