This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Packet Filter issues

I am trying to drop some ip's from accessing our web servers behind the firewall. I have added them to drop. But no matter what I set the packet filter to it wont drop any of the ip listed.

I am using Astaro ASG 7.201 on a Sun Sunfire 4100.

This thread was automatically locked due to age.

Parents

0 Jack Daniel over 17 years ago

It sounds like you have NAT rules to forward traffic to the servers, the NAT rules are applied before the PF rules. You can add a DNAT rule to redirect the problem hosts to an invalid IP before the valid DNAT rule.
Cancel
Vote Up 0 Vote Down

Cancel
0 chuckie_mn over 17 years ago in reply to Jack Daniel

Perfect, great thinking.... I'll do that!
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 chuckie_mn over 17 years ago in reply to Jack Daniel

Perfect, great thinking.... I'll do that!
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 BarryG over 17 years ago in reply to chuckie_mn

Jack, are you talking about Auto-PacketFilter rules on the NAT page?

Also, Chuckie, you need to make sure your DROP rules come before any allow rules.

Barry
Cancel
Vote Up 0 Vote Down

Cancel
0 Jack Daniel over 17 years ago in reply to BarryG

I should have been more clear-
If you are using auto-packetfilter rules with DNAT, those rules will be applied before manual PF rules, creating issues like Chuckie's.

Two approaches are
DNAT without automatic PF rules, and use 2 PF rules: the upper one to drop unwanted traffic and the lower one to allow all.
or
2 DNAT rules with auto-PF- upper rule black-hole routes unwanted traffic and lower rule routes properly.
Cancel
Vote Up 0 Vote Down

Cancel