Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 39 subscribers
  • Views 10089 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Cannot block multiple IPs (IP groups)

oxident

Hi!

It seems that I cannot block (drop or reject) traffic from specific IP addresses. I've set up the following policy on the very top of the list:

Source: WAN
Networks: (two IP-Lists: one with some countries and one with a some specific IPs which were trying to hijack my POP3 server)
Services: Any

Destination: LAN (also tried Any)
Networks: Any

Action: Reject (also tried Drop)

Log traffic: enabled

After enabling that rule, I still see logins on my POP3 server, originating from hosts which are definitely on the above list.

If I open the log on my XG and navigate to "Security policy" I only see "Accepted" entries and not a single "Rejected" one...

Am I missing something here?



This thread was automatically locked due to age.
Parents
  • 0

    Most firewall system accept ESTABLISHED,RELATED connections and only for NEW connection will check the rules. most attackers use every same connection. this is the reason why we have stateless rules on our CoreRouter to blacklist special ips. i'M not sure if sophos do the same and the rule will apply only on next NEW connection.

  • 0 in reply to MarcoScholl

    Thanks for your reply.

    No, I don't think that this is the problem because the mailserver behind the XG (MDaemon) definitely closes the connection and blocks the IP for a few minutes after several failed attempts.

    So I'm quite sure that somehow the XG just doesn't respect this policy.

  • 0 in reply to oxident

    Oxident,

    inside your XG you have a BAR that allows POP3 for normal users. Inside this rule, can you add the bad IP inside Exceptions area like the screenshot?

  • 0 in reply to lferrara

    Hi Luk,

    ahh, yes of course I have such a BAR ... but I thought, when placing a "deny" rule on top of this, the request will be filtered out before it "reaches" the POP3 BAR.

    Anyway, I've set up what you suggested and for the moment, it seems to work, although I can't find any evidence in XG's log files ;-)

Reply
  • 0 in reply to lferrara

    Hi Luk,

    ahh, yes of course I have such a BAR ... but I thought, when placing a "deny" rule on top of this, the request will be filtered out before it "reaches" the POP3 BAR.

    Anyway, I've set up what you suggested and for the moment, it seems to work, although I can't find any evidence in XG's log files ;-)

Children
No Data
Unfiltered HTML