Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 10 replies
  • Answers 2 answers
  • Subscribers 3 subscribers
  • Views 14030 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Drop connection question

AreshAreshi

Hi,

We want to drop/reject connection from some IP address, these IPs shouldnt have access to anything not from WAF rules or from DNAT rules

from what I understand we should create a DNAT rule and point it to a machine that is not exsit and group the IPs that we want to block them to a group and add them as the source of new DNAT.

But this will still process the connections that comes to the utm. we want to drop the connection or reject connection from these IPs.

can we create the DNAT rule and put it on the possition 1 and also instead of creating the firewall rule automatically for the DNAT, create a firewall rule manually and use the drop or reject connection from there?

 

 

Thanks



This thread was automatically locked due to age.
Parents
  • 0

    Hi Aresh,

    Yes, creating a blackhole DNAT on top would be the best way as it is processed before your firewall rules. Automatic firewall rules are processed before manual firewall rules so there should be no need for the manual ones.

    Here is a similar thread you can refer to: Blocking all traffic from IP address

    Cheers,
    Karlos

  • 0 in reply to Karlos

    But the automatic rule dont allow me to reject/drop the in comeing connections! from those IPs!

    My WAN nic have 5 public IPs how can I group them so I dont need to create 5 different DNAT for each of my public IPS.

  • 0 in reply to AreshAreshi

    Hi Aresh,

    In that case, yes go ahead and disable the automatic firewall rule and create a manual rule at the top that will drop the bad IP addresses. Make sure you enable logging in the firewall rule.

    You can create two network groups (Definitions & Users > Network Definitions > New Network Definition > Type: Network Group). The first one for the "Bad IP addresses" to be blocked and another network group for the "5 public IPs."

    You can then use these 2 groups for both your firewall and DNAT rule. 

    Let me know if you have any more questions. Here's another helpful thread to read where the exact steps above were followed: https://community.sophos.com/products/unified-threat-management/f/network-protection-firewall-nat-qos-ips/40628/dnat-and-firewall-rule-question

    Thanks,
    Karlos

  • 0 in reply to Karlos

    Hi Karlos,

     

    Thanks or the update,

    Can we put the primery IP of the WAN also in the same group? all of the 5 IPs are assigned to the WAN int 

     

    Thanks

  • 0 in reply to AreshAreshi

    Yes, include the Primary WAN IP in your Network Group

  • 0 in reply to Karlos

    Hi Karlos,

     

    Thanks for your update,

    when creating the FW rule manually, we chose the source from the bad IPs, for service we chose Any, for the destenation should we chose the group od our Public IPs or the should we chose the none exsiting machine in internal network?

    Also this solution will drop connections from NAT and WAG both right?

     

    Update,

    this is my rule:

    FW rule:

    when I did create the FW rule I said put it at the top, but it look like it put it only at the top of the manually created rules and not really at the top, I also used the FW public IPs group as the Destenation of the FW rule.

    question,

    Does the destnation of the FW correct?

    Why the firewall rule is not at the top of all of the rules?

     

    Thanks

  • +1 in reply to AreshAreshi

    Hi Aresh,

    Your DNAT & Firewall Rule both look correct. Like I mentioned, Automatic Firewalls are processed BEFORE manually created ones. So even if you place it on top, it will still be processed after your automatic rules, hence why the checkbox for Automatic Firewall rules on your DNAT was disabled.

    The best way to see how this process works is by conducting a test from an external network. Add that public IP temporarily to your Hackers Block Network group and attempt to access your UTM's WAN IP and see if you are able to access and how it appears on your firewall log.

    Cheers,
    Karlos

Reply
  • +1 in reply to AreshAreshi

    Hi Aresh,

    Your DNAT & Firewall Rule both look correct. Like I mentioned, Automatic Firewalls are processed BEFORE manually created ones. So even if you place it on top, it will still be processed after your automatic rules, hence why the checkbox for Automatic Firewall rules on your DNAT was disabled.

    The best way to see how this process works is by conducting a test from an external network. Add that public IP temporarily to your Hackers Block Network group and attempt to access your UTM's WAN IP and see if you are able to access and how it appears on your firewall log.

    Cheers,
    Karlos

Children