Additional DNAT Blackhole to permanently Block IPs

Hallo,

That will work just fine.  Checking 'Automatic Firewall rule' would avoid having a default drop line in the firewall log.  Since you're not changing the service, you could leave that empty, but that has no effect on the functionality of your blackhole rule - see #5 in Rulz (last updated 2021-02-16).

Cheers - Bob

Hello Bob,

thanks for your reply. I don't use Automatic Firewall Rules, all Rules are manually defined. Basically what I try to implement to the above 2 NAT Rules is the possibility to block know IPs / Spammers permanently. like to define a Group Spammers and and in this Group IP Host Objects of Spammy IPs and block them permanently.

best regards

Sally

Sally said:

block know IPs / Spammers permanently. like to define a Group Spammers and and in this Group IP Host Objects of Spammy IPs and block them permanently

I really hope you like the game "Whack a Mole" because this is what you will be doing with this mindset.  These guys are not using their own IPs and will use a range of IPs from hosting, etc.  Everything for them will be dynamic, and next to none of it is static or owned.  You are probably better off using things like Country Blocking and keeping any unused ports closed, along with what the UTM functions are built in to protect your network.

I have port scan attempts on a weekly basis from an entire range of IPs from Russian Federation.  Country Blocking takes care of that, I just block all traffic to/from that with enabling blocking for that entire range with Country Blocking and reject packets.

Hello Amodin,

thanks for the reply and the suggestion to use Country Blocking instead. Blocking all traffic in Country Blocking would also prevent web surfing to a website in the particular country, so if I would have for example a favorite website in the blocked Country, I would need to do an exception, or if I set just “from” all users can still browse in the blocked country, but requests from the country to the Public IP are all blocked if I understand, correct?

Can I define in Country Blocking how the packets get handled, like if Packets are rejected, or just be dropped silent (somehow similar like FW Rules Action)?

 thx

Br

Correct, you can add an exception in the Country Blocking Exceptions for specific traffic. You can either use the "All" selection and create an HTTP exception using the exception list, or change it to "From" and add your Web Protection exception in Web Filtering.

Anti-Portscan settings in IPS are the only way I know of to select either/or drop/reject packets.  Country Blocking will deny all traffic, and takes place before other security policy settings like port forwards or mail routing.  You will still probably see the traffic generated on your front page of the UTM, but if you monitor the Network Protection live log, you will see the Country Blocking rule being very effective.

Correct, you can add an exception in the Country Blocking Exceptions for specific traffic. You can either use the "All" selection and create an HTTP exception using the exception list, or change it to "From" and add your Web Protection exception in Web Filtering.

Anti-Portscan settings in IPS are the only way I know of to select either/or drop/reject packets.  Country Blocking will deny all traffic, and takes place before other security policy settings like port forwards or mail routing.  You will still probably see the traffic generated on your front page of the UTM, but if you monitor the Network Protection live log, you will see the Country Blocking rule being very effective.

Thx Amodin for the information!  I will just need to check now how to use the country blocking exception correctly for specific services ..

br

Sally