Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

SonicWall Pro 2040 Adding Rule, Need Help Blocking entire IP net block

Posted on 2007-11-15
13
8,366 Views
Last Modified: 2009-03-31
I have a sonicwall pro 2040 and I need to block entire netblocks, specifically asia, south africa, etc.. where fraud is biggest.

So, we wanted to block this IP address 77.0.1.25 and all others in the 77.0 range.

i have added a rule with an address begin of 77.0.0.0 and a range end of 77.255.255.255

both source and destination i left as * to block all.

Any idea why this is not working?
0
Comment
Question by:ondrejko1
  • 5
  • 4
  • 2
  • +1
13 Comments
 
LVL 19

Expert Comment

by:feptias
ID: 20297142
Is it enhanced or standard SonicOS?
By default, all traffic is blocked from WAN to LAN and from WAN to DMZ, so you must have added a rule some time earlier that is allowing certain traffic. What type of service is it?  A web site?

How can your new blocking rule have both a range of IP addresses as the source and also have * as the source? I'm confused.
0
 

Author Comment

by:ondrejko1
ID: 20298001
It is standard.  
it is not * as source.. the source for the rule is * and the destination is *   and we chose deny for all services.. bascially we want any ipaddress in the range of 77.0.0.0 and  77.255.255.255 to be blocked.

Does this make sense?

Thanks,
0
 
LVL 19

Expert Comment

by:feptias
ID: 20298585
Yes, it makes sense when I look at StandardOS - I was looking at EnhancedOS.

It has a table of entries. I suggest you set them like this:

                       Ethernet           Address Range Begin            Address Range End
Source:               WAN                     77.0.0.0                            77.255.255.255
Destination:        LAN                       *

You could set the Destination address range to cover the range of your LAN, e.g. 192.168.x.x

Are you completely sure you have set Action = Deny?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:ondrejko1
ID: 20299059
Yep, absolutely sure.  I will set the source to WAN and see if that makes a difference.  
0
 
LVL 19

Expert Comment

by:feptias
ID: 20299101
I think it will make a difference because it will move the rule to a higher priority. Rules are executed in order of priority. Once a matching rule is found it uses that rule and ignores the rest. Any rule with * for the source and destination zones will be given lowest priority. You need your blocking rule to be at a higher priority than the rule that allows other Internet users access to your service.
0
 
LVL 10

Expert Comment

by:budchawla
ID: 20309356
By default the SonicWALLs have a rule that is a DENY * from WAN to LAN. Apart from any custom rules you configure that allow certain types of traffic, this default rule will already do what you want.

Maybe the question here is, WHAT are you actually trying to block?

Blocking inbound traffic from an IP range doesn't stop fraud. Fraud doesn't normally happen over direct inbound connections from Africa! Fraud generally starts in emails. Good solutions to this are good spam filters & user education.

If you're using an ISP for email, then you can't even block inbound email traffic based on it's source because it'll all come from your ISP. Even you're getting mail directly (into Exchange etc) then fraudulent emails can't just be blocked based on source IP because they come from all over the world.
If only it was that easy! :-)

The next step for harvesting info is usually websites that pretend to be something they're not, and even these are hosted all over the world, so blocking a range of IPs would have a negligible effect, if any.

So again, WHAT are you trying to block?
0
 

Author Comment

by:ondrejko1
ID: 20312195
Actually, the fraud does come from those countries as they are testing credit cards, etc.. spam is not the issue.  It is blocking traffic that originates over there.. we have set up the rules in IIS but it is too resource intensive on the machine so we want to add to the firewall.
0
 
LVL 19

Accepted Solution

by:
feptias earned 250 total points
ID: 20312384
Your question was about rules on a SonicWall and I hope we can answer that question. However, I think budchawla has a point in so far as I would not think you could block IP connections from a country based only on IP address. Even so, it may still be a useful tool for blocking certain undesirable remote users. I have resorted to it myself from time to time, but there always seem to be more on new address ranges no matter how many you block!

On the main question, did it make any difference changing the ethernet zone to WAN? Please provide feedback - if suggestions made didn't work we need to know so we can think of other possibilities. If the suggestions helped and you've fixed your problem please close the question.

0
 

Author Comment

by:ondrejko1
ID: 20313277
I will let you know as soon as I find out if it is working.  thx.
0
 
LVL 10

Assisted Solution

by:budchawla
budchawla earned 250 total points
ID: 20313790
Hi there, to return to your question as feptias suggested,

You need to make your rule more specific if you want it to take precedence over an existing rule... this is how the SonicWALL prioritises rules.
So if you have a specific
ALLOW HTTP from WAN * to LAN x.x.x.x rule then you need to create a corresponding
DENY HTTP from WAN 70.0.0.0-70.254.254.254 to LAN x.x.x.x rule in order for the DENY rule to go higher up the precedence.

You only need to create deny rules for traffic that you otherwise have allow rules for.. generally, the DENY * from WAN * to LAN * will look after the rest.

You can see this by looking at the list of access rules on the firewall.... they are applied in the order you see them, from top to bottom.

If you have an allow rule that matches that traffic (which it will) then it will let that traffic thru, it doesn't matter what subsequent rules say.

I hope that answers your original question.

I'm still not convinced it will actually help much though... what kind of inbound traffic are you trying to block? Web?

"Actually, the fraud does come from those countries as they are testing credit cards, etc" - I don't understand...the fraud may originate anywhere, when dealing with a firewall we are interested in traffic, not anything else... what kind of inbound traffic are you trying to block?
0
 

Author Comment

by:ondrejko1
ID: 25402181
Yes, we are trying to block incoming web traffic.  They are testing credit cards on our site and the IP address they are using is from Africa, Asia, etc.  If we block them completely, they cant get to our checkout form.  Does that make sense?  It is pretty simple.  Yes, of course the can hop IP addresses but the amount of work to do that outweighs and they willl likely go to another site to try and test credit cards.
0
 

Expert Comment

by:Leog21
ID: 26013348
I had a smiliar issue, I was able to fix it by moving the rule up in the priority, basically, it should be the first rule it processes, block these addresses, if not go to the other rules
0

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Connecting a New Subnet to Network 4 43
AWS Default Security Group Question 3 42
physical security query stockroom concern 8 46
Exchange2013 MAPI 6 13
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
Data breaches are on the rise, and companies are preparing by boosting their cybersecurity budgets. According to the Cybersecurity Market Report (http://www.cybersecurityventures.com/cybersecurity-market-report), worldwide spending on cybersecurity …
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question