This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Intrusion prevention warning

Hi all,

in my UTM9 SG310

latest firmware installed 9.510-5

I got several mail from IPS told me some attack from the same IP public address. Checked the geo position i assume is an unwanted user.

So i wish block this IP.

Applying a rule on firewall were: the source ( ip address unwanted) any services going to my network is dropped nothing happens. The pubblic IP unwanted continuing to knock on my door.

Where i'm wrong

Thanks Gian Luca

This thread was automatically locked due to age.

Parents

0 Jason Klein over 5 years ago

Hi Gian,

The Firwall Framework works like this.

*incoming Packets*

1. RAW packet processing

2. Contract

3. DNAT

*Routing*

*Forward*

4. Packet Filter

5. IPS

Since the Packet Filter is applied before the IPS kicks in there needs to be something wrong with your Rule if the rule doesnt Block / drop it.

Please show us the Screenshot where we can see the IP and the Port the IP uses. Then post a screenshot of your Top firewall rules.

Also post a screenshot of your NAT rules.

Regards

Jason

Regards

Jason

Sophos Certified Architect - UTM
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Jason Klein over 5 years ago

Hi Gian,

The Firwall Framework works like this.

*incoming Packets*

1. RAW packet processing

2. Contract

3. DNAT

*Routing*

*Forward*

4. Packet Filter

5. IPS

Since the Packet Filter is applied before the IPS kicks in there needs to be something wrong with your Rule if the rule doesnt Block / drop it.

Please show us the Screenshot where we can see the IP and the Port the IP uses. Then post a screenshot of your Top firewall rules.

Also post a screenshot of your NAT rules.

Regards

Jason

Regards

Jason

Sophos Certified Architect - UTM
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Gian Luca Gaddoni over 5 years ago in reply to Jason Klein

Here the screenshot
below you can see top firewall rules and also ip addresses unwanted

DNAT rules

Thanks Gian Luca
Cancel
Vote Up 0 Vote Down

Cancel
0 Jason Klein over 5 years ago in reply to Gian Luca Gaddoni

Hey Gian,

and the foreign IP wants to access your Server via Port 80?

-Jason

Regards

Jason

Sophos Certified Architect - UTM
Cancel
Vote Up 0 Vote Down

Cancel
0 Gian Luca Gaddoni over 5 years ago in reply to Jason Klein

HI,

Yes the foreign IP looking for...

Gian Luca
Cancel
Vote Up 0 Vote Down

Cancel
0 Jason Klein over 5 years ago in reply to Gian Luca Gaddoni

Hi,

You might want to test a black hole Nat for the IP.

Create a rule (maybe IP Range in case you get more in the future).

New Target:

Source: the IPs that are getting through

Service: HTTP

Destination: should be to an IPv4 address in 240.0.0.0/4 or to one in 100::/64 for IPv6.

Position that rule above your others so that i gets processed first, in theory the IP should be nated into the black hole then.

Regards

Jason

Sophos Certified Architect - UTM
Cancel
Vote Up 0 Vote Down

Cancel
+1 Gian Luca Gaddoni over 5 years ago in reply to Jason Klein

Hi,

the application of the DNAT blackhole rule as you suggested works fine.

Thank you very much
Cancel
Vote Up 0 Vote Down

Cancel