Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 4 subscribers
  • Views 4058 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Blackhole DNAT Question

Temples90

Hi All,

 

I have been asked to look at implementing an IP blacklist on out Sophos UTM as this was a feature we had on our old appliance which the UTM replaced. I can see that there is no exact feature for this in the UTM but a my research leads me to believe that a Blackhole DNAT rule might accomplish what we are looking for. With that in mind i have put together the following plan which i am looking to implement. I just want to make sure my logic is sound before i put the change request in with my manager. What i am proposing is as follows:

  • Create a new network group object that will contain all the IP we want to black list (lets call it IPBlacklist)
  • Create another network group object (ExtAddresses) that contains all the Address Objects of our external IP addresses (we have 2 IP ranges connected to the UTM)
  • Create a network host object as a "Blackhole address"
  • Create a NAT rule like so
    • Source Address = IPBlacklist
    • Destination Port = any
    • Destination address = ExtAddresses
    • Translated address = "blackhole address"
    • Translasted port = "blank"
    • Automatic firewall disabled
    • Logging enabled (To begin with to ensure the rule is working as expected)

 

I suppose what i am looking to get confirmation on is the following:

  • The rule i have proposed will actually do what is intended (i.e. block traffic from the blacklisted IPs)?
  • That a single rule will work using the group containing the interface address objects or will i have create a rule for each one?

 

Any help on this would be appreciated.

 

Thanks,

Andrew



This thread was automatically locked due to age.
Parents
  • +1

    Hi Andrew,

    Your NAT rule should work for blocking incoming traffic from the blacklisted IP's, but make sure to have the NAT rule as the first NAT rule, since NAT-rules stop processing once the first match is made, so if you first DNAT traffic to an internal server and in a later NAT rule send to blackhole, the 2nd rule will never be evaluated.

    I'm not quite sure whether or not the incoming DNAT would work on a network group however, never tried that.

    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

  • 0 in reply to apijnappels

    Hi apijnappels,

     

    Thanks for coming back to me and for the input. i'll make sure to put the rule as the first NAT rule like you suggest.

     

    I suppose i can give it a try and see with the network group as my thinking is if the traffic doesn't match then it will just move on until it finds a matching rule. The only other thought i had was to possibly the use the "External - Network" object create by the UAT and have 2 rules (one for each IP range).

     

    Thanks,

    Andrew

  • +1 in reply to Temples90

    It won't work for the External (Network) definition because traffic doesn't arrive on the network address but the hostaddress which is External (Address) and the additional addresses. Also Traffic from External (network) usually is not what you are looking for. It would only apply to traffic that originates from the same subnet from your provider as where your own IP-address is and not "the rest of the world".

    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

  • 0 in reply to Temples90

    Hi Andrew,

    Consult #2 in Rulz (last updated 2019-04-17).

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to apijnappels

    Hi apijnappels,

     

    Thanks for this. I think i'll go with trying the network group containing the "External (Address)" objects and see what happens.

     

    Thanks,

    Andrew

  • 0 in reply to BAlfson

    Hi Bob,

     

    Thanks for the pointer on this. I have read the rule you suggest and it appears i am on the right track. I just hope the use of the network group object containing all our "External (Address)" object will do the trick and allow me to do this in 1 rule instead of one for each address.

     

    Thanks,

    Andrew

Reply
  • 0 in reply to BAlfson

    Hi Bob,

     

    Thanks for the pointer on this. I have read the rule you suggest and it appears i am on the right track. I just hope the use of the network group object containing all our "External (Address)" object will do the trick and allow me to do this in 1 rule instead of one for each address.

     

    Thanks,

    Andrew

Children
No Data
Unfiltered HTML