Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 28 subscribers
  • Views 4434 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How would I set up a "reject" rule block traffic from all countries except the US

Dan Bernardez

My client has no associations with folks outside the US. I realize I can concoct an "accept" rule permitting traffic from country of origin "United States" and I did create a "reject" rule with country blocking for offending source countries reported by the firewall reports.

I was wondering if there is a way to construct a firewall rule such as -

Action: Reject

Source Zones: WAN

Source Networks and Devices: NOT United States

Destination Zone: Any

Destination Networks: Any

Services: Any

... all other setting irrelevant ...

As best I can discern, to do this I would have to add a reject rule and include an exhaustive list of countries in the Source Networks designation (not including the "United States") which is what I am intending to achieve with the "NOT" operator, above.

I've made it clear to the client that such a rule would preclude their own access should they ever want access while on a foreign trip. Is there some other reason one would not want to have such a "reject" rule at the front of my firewall rules?



This thread was automatically locked due to age.
Parents
  • 0

    What is he trying to achieve? I have a LAN - WAN rule which I block outgoing traffic to many countries and works fine.

    I have discovered that places like Microsoft / AWS etc tend to bounce into China with some services and a few exceptions needed to be added to allow some hostnames / IP's past the Firewall rule.

Reply
  • 0

    What is he trying to achieve? I have a LAN - WAN rule which I block outgoing traffic to many countries and works fine.

    I have discovered that places like Microsoft / AWS etc tend to bounce into China with some services and a few exceptions needed to be added to allow some hostnames / IP's past the Firewall rule.

Children
  • 0 in reply to M8ey

    To clarify ... I implemented several business rules which DNAT'd LAN hosts making them accessible from the WAN. My initial setup was obviously inadequate because I noticed a lot of hits from foreign countries - notably China, Russia and Brazil. To address this, I restricted a couple of them by specifying known hosts as appropriate for "Allowed/Client Networks". Servers for which I do not have specific originating host addresses, I specified "United States" as the "Allowed/Client Networks".

    To cover myself in the event I inadvertently add another wide open business rule in the future, I constructed a rule which I placed toward the front of the list that had "reject" as the action for any connections originating from from the most nefarious foreign countries and this works for me. If in monitoring the traffic I notice unwanted connections from other countries, I intend to simply add countries to the list to be rejected.

    However, it occurred to me that it would be useful to have be able to say something to the effect of "not United States" for identifying source networks to be rejected - effectively a "NOT" operator option on the source network. This way I would never have to modify the reject rule going forward.

    Just tell me I'm overly paranoid and I'll forget I even had the thought. Thanks.

  • 0 in reply to Dan Bernardez

    Hi,

    you can use the country blocking feature, but as previously warned a number companies have update sources in other countries. Also some Russian sites are hosted on US based service er networks.

     

    Ian