Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 3 answers
  • Subscribers 5 subscribers
  • Views 18846 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM 9 Block specific IP

cavaughan

Here's the situation first. I get emails about all port scan notifications and intrusion alerts from our UTM. For the past 24 hours, this one IP address is port scanning us like crazy and then going on "likely SQL injections." So I thought, OK, I'll create a DNAT blackhole rule.

Basically the rule is this: any traffic from malicious IP address going to our server (internal IP) gets remapped to a non-existing internal IP.

Then I put that rule prior to the NAT rules for that server. 

Still I'm getting the email notifications. Maybe the reason is because the Intrusion Protection Service is going to catch these attacks/probes regardless? 

Thanks for any feedback.



This thread was automatically locked due to age.
  • 0

    A DNAT rule doesn't go to the internal address of your server, but to the external (address) of your WAN connection.

    Then the destination should be a blackhole.

  • 0 in reply to apijnappels

    also i recommend to create a firewall drop rule which drops all traffic to the blackhole and set it high (should be first user-defined rule) in your paket filter list

  • 0

    Hi, 

    So does that mean, you do not want the email notifications that frequent? If that's your requirement then check the limit notification option found in management> notification > global tab.

    Thanks

  • 0 in reply to apijnappels

    Wait, how does that work. Wouldn't that just create a loop?

    So let's say my external ip is 10.1.1.1 (just for the sake of argument) and I have an internal ip structure of 192.168.1.x/24. Now I had a DNAT that any traffic from the malicious ip going to a server on my internal network, say 192.168.1.2, shall be readdressed to 192.168.1.200 - which is not being used by any device. 

    Your suggestion seems to be to have it readdressed to 10.1.1.1, the external IP. Wouldn't that just come back in and loop around ad infinitum?

  • 0 in reply to cavaughan

    I use a blackhole DNAT like this:

    Where "Block IPs" is a group in which I put all IP's I want to completely discard all traffic from and destination "Blackhole2" is a host with IP4 address of 240.0.0.0 and IP6 address of 0100::

    240.0.0.0 falls in 240.0.0.0/4 (reserved for future use)
    0100:: falls in 0100::/64 (is RFC6666 discard prefix voor ipv6)

    You may also need to create a firewall rule:

    That way there should be no logging from blocked traffic.