This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Block large ip-lists from wan side

Hi,

we are looking for a way to implement certain ip ranges / lists available on various collection sites like e.g. http://iplists.firehol.org for being blocked on the incoming WAN side before the packet filters, let´s say on level of country blocking or nat.

As of today i personally do not know an easy way to batch import these kind of huge lists into an utm system. Only way i see today would be to create a separate dns server, batch-import all these lists to certain zones, create dns rules on utm to forward this artifical domain to this new dns server and then work with dns groups from within utm and ofcourse do it via dnat and a blackhole-dummy-ip because the packet filters themself will not work because they kick in AFTER country blocking and nat (check Bobs excellent rulez list).

So - huh - what can we do about it when we want to block certain huge lists using utm? I already thought about creating an additional open source firewall in bridge mode, place it stupidly between ISP-Router and UTM and use automated downloading of compiled lists, let iptables with ipset or iplist block em and let everything else through to the main utm. Sounds good? I don´t think so. Adds huge overhead and another point of possible problems.

So - question - How in the world do YOU guys solve this? Is there even an easy answer to this? Any ideas?

Best
Joerg

This thread was automatically locked due to age.

BAlfson over 9 years ago

I believe that there's a Feature Request concerning this that you can vote for and comment on. Please share the link back here on your thread.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
- JoergRiether over 9 years ago in reply to BAlfson
  
  Hi Bob,
  
  are you talking about that one? http://feature.astaro.com/forums/17359-utm-formerly-asg-feature-requests/suggestions/1982075-network-security-block-malicious-botnet-bad-ip-s
  
  Because the answer from Sophos/Astaro really made me laugh. Not. They claim this is implemented with ATP. Which is not true, obviously.
  
  OK to be honest - i don´t think the vendor WANTS to implement this. Seems to me like too much cost/outlay. So my thoughts / questions would really be to think together if there is some other workaround / possibility. For example via dns groups or another open source firewall in bridge mode between utm and isp.
  
  So - any ideas?
  
  Thanks
  Joerg
  - DavidWilliams1 over 9 years ago in reply to JoergRiether
    
    I do this with a Mikrotik router. My IP block list currently has 21,350 entries. Some are individual host IP's, some are large IP address blocks. I have scripts that update the lists every morning. The Mikrotik is my WAN router and Sophos XG is in in bridge mode directly after it.
    
    pfSense with the pfBlockerNG package does IP block lists extraordinarily well. Very easy to set up and does de-duplication when pulling IP block lists from multiple sources.
  - JoergRiether over 9 years ago in reply to DavidWilliams1
    
    Thanks, I will play around with this, try to do it via bridge mode in pfsense. Is the blocking feature per default in the pfsense install or is it still pfblocker/pfblockerNG?
  - JoergRiether over 9 years ago in reply to JoergRiether
    
    ...figured it out - still pfblockerng. OK - i will try to setup a virtual pfsense with two vnics in bridge mode and try to install it between utm and isp. Will play around with it in testlab...
- tgrenell over 9 years ago in reply to BAlfson
  
  The updated feature request that calls Sophos out on their statement that ATP implements this is here: http://ideas.sophos.com/forums/17359-utm-formerly-asg-feature-requests/suggestions/8100519-block-ip-s-using-blacklist-blocklist-service
  
  Travis G
  Senior Network Engineer
  Sophos UTM Architect