Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 12 replies
  • Subscribers 2 subscribers
  • Views 5530 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS alerts from blocked address

JonEtkins
Over the last couple of days, I've seen a sudden burst of IPS alerts from two particular IP addresses.  While I have confidence in the IPS, I also see no reason to allow these sites continued access to anything I host, so I've placed them in my "Known Offenders" group which is rejected by Rule #1 on my firewall.  However, I'm still getting IPS alerts from these jerks.  

Am I correct in assuming that incoming traffic goes through the IPS before it hits the firewall?  That seems backwards to me, but perhaps someone can suggest why it would be that way.


This thread was automatically locked due to age.
Parents
  • 0
    It's been true for a long time, but maybe it's been changed: the traffic selector in the PF rule must be 'Known Offenders -> Any -> External (Address)' instead of 'Known Offenders -> Any -> Any', otherwise, packets to 443, 25, 4444 and others will be accepted by the Astaro, and the others will be default dropped instead of being dropped by your PF rule.

    If the Any->Any rule worked, please confirm.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    It's been true for a long time, but maybe it's been changed: the traffic selector in the PF rule must be 'Known Offenders -> Any -> External (Address)' instead of 'Known Offenders -> Any -> Any', otherwise, packets to 443, 25, 4444 and others will be accepted by the Astaro, and the others will be default dropped instead of being dropped by your PF rule.

    If the Any->Any rule worked, please confirm.

    Cheers - Bob


    In my experience, this does not make any difference.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

Reply
  • 0 in reply to BAlfson
    It's been true for a long time, but maybe it's been changed: the traffic selector in the PF rule must be 'Known Offenders -> Any -> External (Address)' instead of 'Known Offenders -> Any -> Any', otherwise, packets to 443, 25, 4444 and others will be accepted by the Astaro, and the others will be default dropped instead of being dropped by your PF rule.

    If the Any->Any rule worked, please confirm.

    Cheers - Bob


    In my experience, this does not make any difference.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

Children
No Data
Cookie Information Banner