This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

country blocking question

We have been having an issue that is related to country blocking. One company that emails us is routed through germany. Under country blocking I have Germany to block From. I have since created an exception.....

 

skip blocking of these countries: Germany

for traffic coming from these source networks: IP of Host

Using these services: Any

 

Even after doing this the emails still get blocked by the firewall from that IP. Only way we can receive from them is to totally turn off blocking for that country. Can someone tell me what Im doing wrong? 

Also my hardware is a Sophos SG 210 running 9.509-3.



This thread was automatically locked due to age.
Parents
  • The help file attempts to explain this, but does not fully succeed.

    • When the exception target is on the internet, such as your desired mail server, you specify the object and MUST leave the country list EMPTY.   UTM does not need to know the country because the IP address already ensures uniqueness.   Specifying any countries (or ALL) will produce the unexpected result that you are seeing.  This applies whether the exception is FROM or TO the exception target.
       
    • When the exception object is the UTM or any internal network object, you must specify a country list or ALL.    Without a country list, there would be ambiguity.   I think an empty list and ALL will produce the same result here, but the documented preference is to use ALL.

    For your example, I think you only need to exempt SMTP (port 25), not port ALL.   

    I think the PORT specification refers to the destination port, whether the exception is the source IP or the destination IP.   (Test to verify this.)

    For web proxy traffic, I have observed some FQDN+IP pairs being assigned to different countries at different times, and I have seen some FQDN-IP pairs with no country assigned.   The issue has been confirmed and is in development.  I don't actually know if it affects incoming SMTP traffic.  But if you are using Country Blocking now, you should be aware that it may have limitations, and continue to monitor your logs. 

     

  • So I tried this using

    Skip blocking for these countries - blank

    Host  - IP of server

    Using smtp

    Still that IP is being blocked. Even tried all instead of smtp but still not working. In the logs it shows country block and reason given is geoip.

  • Try to add internal(address) to host/network.

    I had this case myself and that did it.

    Best

    Alex

    -

  • And IP Server is your WAN IP? And you use mailprotection?

    -

  • Sorry that we have not helped you find your problem.   But if you are running a mail server behind UTM, you should have Sophos Support and you should use them for questions like this.  They can review your configuration and your logs, we cannot.  This stuff is their forte, and they are the vehicle for bug reporting to  development.

    Alternatively, if you have a home configuration, you should not be running a mail server

  • I have found some bugs with Country blocking and country blocking exception, so I can't rule out the possibility that you have found one.

    I have just reviewed my configuration to confirm my previous post:

    • Rules that specify to/from an external network object will have an empty country list, never ALL countries.
    • One rule is to an external network object, with a single country in the country list.   I am not sure if this is an allowed configuration or a mistake.
    • For rules to/from an internal object, the country list is always necessary.   Not all of my internal-object rules have an interface address included.

    Other possibilities relate to the way the internal object is identified.

    • If traffic is proxied, such as the UTM EMail Protection, the destination address is the UTM address used, not the internal address.
    • If incoming traffic is DNATted, the internal object is still the UTM external address, not the internal address, because DNAT occurs after Country Blocking.   Bob Alfson's "Rulz" posting explains order of operation (Rule 2)
      https://community.sophos.com/products/unified-threat-management/f/general-discussion/22065/rulz
    • If outgoing traffic is SNATted or MASQueraded, the internal object is still the internal address, because source address replacement occurs last.
    • SMTP traffic normally has to flow in both directions, so ensure that you have a rule to accept SMTP from the desired host as well as accepting traffic to the desired host.
Reply
  • I have found some bugs with Country blocking and country blocking exception, so I can't rule out the possibility that you have found one.

    I have just reviewed my configuration to confirm my previous post:

    • Rules that specify to/from an external network object will have an empty country list, never ALL countries.
    • One rule is to an external network object, with a single country in the country list.   I am not sure if this is an allowed configuration or a mistake.
    • For rules to/from an internal object, the country list is always necessary.   Not all of my internal-object rules have an interface address included.

    Other possibilities relate to the way the internal object is identified.

    • If traffic is proxied, such as the UTM EMail Protection, the destination address is the UTM address used, not the internal address.
    • If incoming traffic is DNATted, the internal object is still the UTM external address, not the internal address, because DNAT occurs after Country Blocking.   Bob Alfson's "Rulz" posting explains order of operation (Rule 2)
      https://community.sophos.com/products/unified-threat-management/f/general-discussion/22065/rulz
    • If outgoing traffic is SNATted or MASQueraded, the internal object is still the internal address, because source address replacement occurs last.
    • SMTP traffic normally has to flow in both directions, so ensure that you have a rule to accept SMTP from the desired host as well as accepting traffic to the desired host.
Children
No Data