This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Drop an External IP hack...

Getting a lot of traffic, maybe a marginal DDoS, from a hacker? from different IP's on an external IP subnet. So I've read several posts on these forums and now I'm getting a bit confused on the best way to handle.

Setup a firewall rule:
1. Ext IP > Any > Any : Drop,
or
2. Ext IP > Any > Ext interface(s) : Drop
or something else?

Also, they're sometimes, but not always, going to port 80, and the webproxy is running in transparent mode. So would the webproxy come before the above rules? And if so, do we need to setup a DNAT or what?

This thread was automatically locked due to age.

0 BAlfson over 11 years ago

A DNAT will capture everything first. See #2 in https://community.sophos.com/products/unified-threat-management/astaroorg/f/51/t/22065.

If Web Filtering is configured with "Any" or "Internet" in 'Allowed networks', the port 80 traffic could get in through the Proxy, but you probably don't have that.

I guess you just want to stop the default drops in your Firewall log. In this case, just make a Firewall rule: '{bad IPs} -> Any -> Any : Drop/Reject'.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel
0 BarryG over 11 years ago

Hi, what kind of packets are they?
UDP or TCP SYN or TCP RST or TCP FIN or ?

Log entries would help.

Barry
Cancel
Vote Up 0 Vote Down

Cancel