Hi,
we are looking for a way to implement certain ip ranges / lists available on various collection sites like e.g. http://iplists.firehol.org for being blocked on the incoming WAN side before the packet filters, let´s say on level of country blocking or nat.
As of today i personally do not know an easy way to batch import these kind of huge lists into an utm system. Only way i see today would be to create a separate dns server, batch-import all these lists to certain zones, create dns rules on utm to forward this artifical domain to this new dns server and then work with dns groups from within utm and ofcourse do it via dnat and a blackhole-dummy-ip because the packet filters themself will not work because they kick in AFTER country blocking and nat (check Bobs excellent rulez list).
So - huh - what can we do about it when we want to block certain huge lists using utm? I already thought about creating an additional open source firewall in bridge mode, place it stupidly between ISP-Router and UTM and use automated downloading of compiled lists, let iptables with ipset or iplist block em and let everything else through to the main utm. Sounds good? I don´t think so. Adds huge overhead and another point of possible problems.
So - question - How in the world do YOU guys solve this? Is there even an easy answer to this? Any ideas?
Best
Joerg
This thread was automatically locked due to age.
