This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAF rule "Block clients with bad reputation"

Hi there.

As I implemented WAF for one of our customers, I stumbled upon the "Block clients with bad reputation" option in WAF -> Firewall Profiles -> Filtering. Best practice is, to leave this option checked as well as it is checked by default.

UTM version is 9.508

After rollout, some users weren't able anymore to use ActiveSync with their mobile devices. Due to the logging, I got the info that somehow some source ip's are blacklisted. Since those WAN ip's are not sticky and therefore can change periodically without interaction of the user but by the ISP, the only way around this was, to leave the above mentioned checkbox unchecked.

As for example a log excerpt from this morning:

2018:03:14-10:44:17 fw_xxx httpd: id="0299" srcip="80.187.xxx.xxx" localip="78.94.111.27" size="236" user="-" host="80.187.xxx.xxx" method="POST" statuscode="403" reason="dnsrbl" extra="Client is listed on DNSRBL black.rbl.ctipd.astaro.local" exceptions="SkipURLHardening" time="83132" url="/Microsoft-Server-ActiveSync" server="webmail.xxx.xxx" port="443" query="?User=xxx.xxx&DeviceId=ASJ72ATRMP2C1938U7UHFFCBOK&DeviceType=iPhone&Cmd=Ping" referer="-" cookie="-" set-cookie="-" uid="Wqju8cCoZv4AABtFMf4AAAB1"
2018:03:14-10:44:19 fw_xxx httpd[6981]: [authz_blacklist:warn] [pid 6981:tid 4088732528] [client 80.187.xxx.xxx:26772] Client is listed on DNSRBL black.rbl.ctipd.astaro.local

Perhaps, someone can clarify for me a bit more in detail what the purpose of this option is, according to the documentation?

Thanks in advance,
toby



This thread was automatically locked due to age.
Parents
  • It sounds like the RBL is being populated too aggressively.   They recently had a problem with a change to ClamAV that started blocking good email as hostile, so one possibility is that the two problem are somehow related.   At any rate, the same RBL is probably used for all installations and all versions of UTM.   Please open a ticket with Sophos Support.

  • Still an issue and here is what I found it seem they want to blacklist all ip addresses and don't care if it causes all kinds of issues


    Outbound Email Policy of The Spamhaus Project for this IP range:

    This IP address range has been identified by Spamhaus as not meeting our policy for IP addresses permitted to deliver unauthenticated 'direct-to-mx' email to PBL users.

    Important: If you are using any normal email software (such as Outlook, Entourage, Thunderbird, Apple Mail, etc.) and you are being blocked by this Spamhaus PBL listing when you try to send email, the reason is simply that you need to turn on "SMTP Authentication" in your email program settings. For help with SMTP Authentication or ways to quickly fix this problem click here.



    See also: http://www.spamhaus.org/faq/section/Spamhaus%20PBL


  • I guess that I figured this out sometime after the original post.

    RBLs were created to block unwanted email, so the lists exclude any IP address that should not be running a mail server.   For example, if you are running a mail server from your cell phone, then your cell phone is probably infected with malware.   As a result, the RBLs include:

    • Know bad actors
    • IP addresses that are dynamically assigned, especially residential addresses (and apparently cell phones as well).

    You could use both types of filtering for WAF if your WAF users were always connecting from a major business with a static IP address, and never from home or a hotel.   In most cases, this is not workable. 

    There are actually two elements to this configuration:

    • Block clients with bad reputation
    • Skip remote lookups for clients with bad reputation

    The first option uses a GeoIP database to exclude bad actors.   I have not yet used it, but another person on this forum has done so successfully.  So you want this optioin enabled, probably always.

    Remote lookups are what use the RBLs.   Since the RBLs are poorly suited for WAF purposes, you will almost always want this option selected, so that the RBL is ignored.

    By checking both options, you should be able to block some of the bad guys while still allowing access for your home users and cell phone users.

Reply
  • I guess that I figured this out sometime after the original post.

    RBLs were created to block unwanted email, so the lists exclude any IP address that should not be running a mail server.   For example, if you are running a mail server from your cell phone, then your cell phone is probably infected with malware.   As a result, the RBLs include:

    • Know bad actors
    • IP addresses that are dynamically assigned, especially residential addresses (and apparently cell phones as well).

    You could use both types of filtering for WAF if your WAF users were always connecting from a major business with a static IP address, and never from home or a hotel.   In most cases, this is not workable. 

    There are actually two elements to this configuration:

    • Block clients with bad reputation
    • Skip remote lookups for clients with bad reputation

    The first option uses a GeoIP database to exclude bad actors.   I have not yet used it, but another person on this forum has done so successfully.  So you want this optioin enabled, probably always.

    Remote lookups are what use the RBLs.   Since the RBLs are poorly suited for WAF purposes, you will almost always want this option selected, so that the RBL is ignored.

    By checking both options, you should be able to block some of the bad guys while still allowing access for your home users and cell phone users.

Children
No Data