This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNAT and Firewall Rule Question

So I wanted to block some malicious IPs and I placed a block rule at the top of my firewall rule list. Then I discovered to my surprise that the traffic wasn't being blocked. This is because I am using DNAT with Automatic Firewall Rule checked. Therefore, the traffic was being allowed before my block rule ever applied.

So upon perusing the forum, I see that there are two ways around this:

1) Add a blackhole NAT rule as the first DNAT
2) Stop using automatic firewall rules and add separate firewall rules for each NAT entry.

So my question is, are there any pros/cons to each approach? I have about 40 DNAT rules setup, so that is a lot of firewall rules I'd have to add. But if that is a better way of doing things, I'll change it. Any thoughts/advice? Thanks.

Matt

P.S. Where does Country Blocking fall in w/r to DNAT?

This thread was automatically locked due to age.

Parents

0 Scott_Klassen over 11 years ago

So Country Blocking happens even before the DNAT
  Correct, both inbound and outbound.

if best practice would be to not use the automatic firewall rules, I'll bite the bullet and change it
  The vast majority use automatic firewall rule quite successfully and are happy with not having to manage rules manually.  If they are working for you to this point, there's no need to change.

Would be nice to have both before and after rule sets maybe
  Astaro Security Gateway Feature Requests: Hot (953 ideas)  [:)]

__________________
ACE v8/SCA v9.3

...still have a v5 install disk in a box somewhere.

http://xkcd.com
http://www.tedgoff.com/mb
http://www.projectcartoon.com/cartoon/1
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Scott_Klassen over 11 years ago

So Country Blocking happens even before the DNAT
  Correct, both inbound and outbound.

if best practice would be to not use the automatic firewall rules, I'll bite the bullet and change it
  The vast majority use automatic firewall rule quite successfully and are happy with not having to manage rules manually.  If they are working for you to this point, there's no need to change.

Would be nice to have both before and after rule sets maybe
  Astaro Security Gateway Feature Requests: Hot (953 ideas)  [:)]

__________________
ACE v8/SCA v9.3

...still have a v5 install disk in a box somewhere.

http://xkcd.com
http://www.tedgoff.com/mb
http://www.projectcartoon.com/cartoon/1
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Krowten over 11 years ago in reply to Scott_Klassen

So how exactly do I make the black hole DNAT rule?

I created a Block Group of IPs and networks. I set the traffic service to Any and the traffic dest. to Any. I set NAT mode to DNAT. I set destination to a dead end IP (10.9.9.9) and dest. service to Any. When I try and save that, it says it cannot create a NAT rule mapping all services into one. What's the best way to setup a black hole rule?

Thanks.

Matt
Cancel
Vote Up 0 Vote Down

Cancel