This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Additional DNAT Blackhole to permanently Block IPs

Hello,

I have a lot of IPs trying to access my External IP on my UTM. I already have ablackhole DNAT Rule added, but I would like to adapt this Rule to be able to permanently block specific IPs / IP Ranges

What would be the best way to do this? 

Thx

br

Sally



This thread was automatically locked due to age.
Parents
  • Hallo,

    That will work just fine.  Checking 'Automatic Firewall rule' would avoid having a default drop line in the firewall log.  Since you're not changing the service, you could leave that empty, but that has no effect on the functionality of your blackhole rule - see #5 in Rulz (last updated 2021-02-16).

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello Bob,

    thanks for your reply. I don't use Automatic Firewall Rules, all Rules are manually defined. Basically what I try to implement to the above 2 NAT Rules is the possibility to block know IPs / Spammers permanently. like to define a Group Spammers and and in this Group IP Host Objects of Spammy IPs and block them permanently.

    best regards

    Sally

  • block know IPs / Spammers permanently. like to define a Group Spammers and and in this Group IP Host Objects of Spammy IPs and block them permanently

    I really hope you like the game "Whack a Mole" because this is what you will be doing with this mindset.  These guys are not using their own IPs and will use a range of IPs from hosting, etc.  Everything for them will be dynamic, and next to none of it is static or owned.  You are probably better off using things like Country Blocking and keeping any unused ports closed, along with what the UTM functions are built in to protect your network.

    I have port scan attempts on a weekly basis from an entire range of IPs from Russian Federation.  Country Blocking takes care of that, I just block all traffic to/from that with enabling blocking for that entire range with Country Blocking and reject packets.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • Hello Amodin,

    thanks for the reply and the suggestion to use Country Blocking instead. Blocking all traffic in Country Blocking would also prevent web surfing to a website in the particular country, so if I would have for example a favorite website in the blocked Country, I would need to do an exception, or if I set just “from” all users can still browse in the blocked country, but requests from the country to the Public IP are all blocked if I understand, correct?

    Can I define in Country Blocking how the packets get handled, like if Packets are rejected, or just be dropped silent (somehow similar like FW Rules Action)?

     thx

    Br

  • Correct, you can add an exception in the Country Blocking Exceptions for specific traffic. You can either use the "All" selection and create an HTTP exception using the exception list, or change it to "From" and add your Web Protection exception in Web Filtering.

    Anti-Portscan settings in IPS are the only way I know of to select either/or drop/reject packets.  Country Blocking will deny all traffic, and takes place before other security policy settings like port forwards or mail routing.  You will still probably see the traffic generated on your front page of the UTM, but if you monitor the Network Protection live log, you will see the Country Blocking rule being very effective.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • Thx Amodin for the information!  I will just need to check now how to use the country blocking exception correctly for specific services ..

    br

    Sally

  • I only use "From" in Country Blocking instead of "All."

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply Children
No Data