Thread Info
  • State Suggested Answer
  • +7 person also asked this people also asked this
  • Locked Locked
  • Replies 58 replies
  • Answers 4 answers
  • Subscribers 49 subscribers
  • Views 191190 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Country Blocking Not Working for a WAN > LAN Rule

Timothy Stewart

Hi.  It seems like country blocking is not working for WAN -> LAN (or any other protected network behind XG Firewall).

I have tested this with a proxy in the blocked countries.

I have this rule at the top of the list and network traffic still passes even though the rule shouldn't allow it, basically ignoring it.  The rule is never triggered thus always stating in 0 B, out 0 B.  I have tried every combination of Source/Destination/Zone/Network and still it doesn't work.



This thread was automatically locked due to age.
Parents
  • 0

    I have rules the same as yours, but can only test the outgoing one.

    I recently reworked my country blocking rules and can confirm the outgoing version works. I tried to block lots of this junk mail offering all sorts of sex services, but they are randomly sourced.

    So, I found an actual RU site that is in the RU and used that to test my theory and rule making.

    What I found and has been pointed out in another thread that not all .xx are actually located in .xx country. I found some .ru sites located in the US, makes blocking very difficult.

    So, in summary be very careful about stating country blocking doesn't work, we need some other reference database to check the suffix rather than the physical IP address.

  • 0 in reply to rfcat_vk

    I can comfortably say it still does not work.  I have web services  on most continents where I can ping my IP / access web services.  The workaround still works but it's pretty janky.  Sad, when I originally opened this thread I thought would be resolved by now.  Am running SFOS 16.01.2 and I can confirm it does not work. 

  • 0 in reply to Timothy Stewart

    I have tried out my rules with your settings and they fail, but when I change the destination to Any from WAN the rule works. At this stage I can only test the incoming.

    I added Australia to the destination with both WAN and ANY settings. With WAN I could reach AU sites without an issue, with ANY blocked no access to www.google.com.au or www.iinet.net.au.

    The logic I expect is that WAN is from your external interface where as ANY is from any source external to your XG.

    When I have a little more time first thing New Year's day I will try accessing the XG from another network using the same settings for the source as above for the Destination.

Reply
  • 0 in reply to Timothy Stewart

    I have tried out my rules with your settings and they fail, but when I change the destination to Any from WAN the rule works. At this stage I can only test the incoming.

    I added Australia to the destination with both WAN and ANY settings. With WAN I could reach AU sites without an issue, with ANY blocked no access to www.google.com.au or www.iinet.net.au.

    The logic I expect is that WAN is from your external interface where as ANY is from any source external to your XG.

    When I have a little more time first thing New Year's day I will try accessing the XG from another network using the same settings for the source as above for the Destination.

Children
No Data