Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 9 replies
  • Subscribers 5 subscribers
  • Views 2781 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Does country blocking work for 'from' only?

dswartz

With my old firewall, my mail server in particular gets bombarded from china and russia in particular, so I'd like to switch to UTM9.  I wanted to allow LAN to go to blocked countries, but not allow unsolicited inbound traffic.  It seems like if I block, say, Russian Federation for 'from' only, 'iptables -L -n' shows the exact same output as 'off'.  If I set 'to' or 'all' those seem to be identical to each other as well.  Am I missing something?  Thanks!



This thread was automatically locked due to age.
Parents
  • 0

    I never look at the iptables, but Country Blocking works.   There was a bug in the classification process which was addressed in 9.510.   The earlier versions could produce missing or inconsistent country assignments.  According to the 9.510 release notes, the problem only affected web filtering and only when AD SSO was the authentication method.

  • 0 in reply to DouglasFoster

    Okay, thanks.  I find that mystifying though.  There must be something else going on behind the scenes for from to work, then.  Thanks!

  • +1 in reply to dswartz

    I believe that country blocking happens before iptables, if I remember the flow diagram correctly, it all happens in the "connection tracker" module.

    XG & UTM Architect (Systems: XG v18 & UTM 9.7 - Virtual, HW & SW)
    Curious enough to take it apart, skilled enough to put it back together, Clever enough to hide the extra parts when I'm Done!

  • 0 in reply to Argo

    I'm just surprised that 'to' or 'all' DO generate iptables rules.  Well, I'm deploying this in a day or two, so I can test it out.  My email server gets scanned a *lot* from Russia in particular, so awhile back I had added geoip blocking to it, and can see the iptables hits increment in real time :)  So, the plan would be to set RU to 'from', and then watch the iptables stats on the mailserver.  If they keep going up, there's a bug in UTM, and I can open a support case.

  • 0 in reply to dswartz

    I guess I can close this then.  Been running with 'from' on the various countries/regions, and iptables in the mailserver confirms no changes in hits.  Thanks for the info!

  • 0 in reply to Argo

    Argo, I don't think it's done in conntrack.  It does happen right after that and before everything else.  See #2 in Rulz.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

    you may be right, although I thought i remember speaking to one of the techs at Sophos and they said it was, but this was along time ago when I was still new to the Sophos.

    XG & UTM Architect (Systems: XG v18 & UTM 9.7 - Virtual, HW & SW)
    Curious enough to take it apart, skilled enough to put it back together, Clever enough to hide the extra parts when I'm Done!

Reply
  • 0 in reply to BAlfson

    Hi Bob,

    you may be right, although I thought i remember speaking to one of the techs at Sophos and they said it was, but this was along time ago when I was still new to the Sophos.

    XG & UTM Architect (Systems: XG v18 & UTM 9.7 - Virtual, HW & SW)
    Curious enough to take it apart, skilled enough to put it back together, Clever enough to hide the extra parts when I'm Done!

Children
No Data
Unfiltered HTML