Solved

SonicWall Pro 2040 Adding Rule, Need Help Blocking entire IP net block

Posted on 2007-11-15
13
8,351 Views
Last Modified: 2009-03-31
I have a sonicwall pro 2040 and I need to block entire netblocks, specifically asia, south africa, etc.. where fraud is biggest.

So, we wanted to block this IP address 77.0.1.25 and all others in the 77.0 range.

i have added a rule with an address begin of 77.0.0.0 and a range end of 77.255.255.255

both source and destination i left as * to block all.

Any idea why this is not working?
0
Comment
Question by:ondrejko1
  • 5
  • 4
  • 2
  • +1
13 Comments
 
LVL 19

Expert Comment

by:feptias
ID: 20297142
Is it enhanced or standard SonicOS?
By default, all traffic is blocked from WAN to LAN and from WAN to DMZ, so you must have added a rule some time earlier that is allowing certain traffic. What type of service is it?  A web site?

How can your new blocking rule have both a range of IP addresses as the source and also have * as the source? I'm confused.
0
 

Author Comment

by:ondrejko1
ID: 20298001
It is standard.  
it is not * as source.. the source for the rule is * and the destination is *   and we chose deny for all services.. bascially we want any ipaddress in the range of 77.0.0.0 and  77.255.255.255 to be blocked.

Does this make sense?

Thanks,
0
 
LVL 19

Expert Comment

by:feptias
ID: 20298585
Yes, it makes sense when I look at StandardOS - I was looking at EnhancedOS.

It has a table of entries. I suggest you set them like this:

                       Ethernet           Address Range Begin            Address Range End
Source:               WAN                     77.0.0.0                            77.255.255.255
Destination:        LAN                       *

You could set the Destination address range to cover the range of your LAN, e.g. 192.168.x.x

Are you completely sure you have set Action = Deny?
0
 

Author Comment

by:ondrejko1
ID: 20299059
Yep, absolutely sure.  I will set the source to WAN and see if that makes a difference.  
0
 
LVL 19

Expert Comment

by:feptias
ID: 20299101
I think it will make a difference because it will move the rule to a higher priority. Rules are executed in order of priority. Once a matching rule is found it uses that rule and ignores the rest. Any rule with * for the source and destination zones will be given lowest priority. You need your blocking rule to be at a higher priority than the rule that allows other Internet users access to your service.
0
 
LVL 10

Expert Comment

by:budchawla
ID: 20309356
By default the SonicWALLs have a rule that is a DENY * from WAN to LAN. Apart from any custom rules you configure that allow certain types of traffic, this default rule will already do what you want.

Maybe the question here is, WHAT are you actually trying to block?

Blocking inbound traffic from an IP range doesn't stop fraud. Fraud doesn't normally happen over direct inbound connections from Africa! Fraud generally starts in emails. Good solutions to this are good spam filters & user education.

If you're using an ISP for email, then you can't even block inbound email traffic based on it's source because it'll all come from your ISP. Even you're getting mail directly (into Exchange etc) then fraudulent emails can't just be blocked based on source IP because they come from all over the world.
If only it was that easy! :-)

The next step for harvesting info is usually websites that pretend to be something they're not, and even these are hosted all over the world, so blocking a range of IPs would have a negligible effect, if any.

So again, WHAT are you trying to block?
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:ondrejko1
ID: 20312195
Actually, the fraud does come from those countries as they are testing credit cards, etc.. spam is not the issue.  It is blocking traffic that originates over there.. we have set up the rules in IIS but it is too resource intensive on the machine so we want to add to the firewall.
0
 
LVL 19

Accepted Solution

by:
feptias earned 250 total points
ID: 20312384
Your question was about rules on a SonicWall and I hope we can answer that question. However, I think budchawla has a point in so far as I would not think you could block IP connections from a country based only on IP address. Even so, it may still be a useful tool for blocking certain undesirable remote users. I have resorted to it myself from time to time, but there always seem to be more on new address ranges no matter how many you block!

On the main question, did it make any difference changing the ethernet zone to WAN? Please provide feedback - if suggestions made didn't work we need to know so we can think of other possibilities. If the suggestions helped and you've fixed your problem please close the question.

0
 

Author Comment

by:ondrejko1
ID: 20313277
I will let you know as soon as I find out if it is working.  thx.
0
 
LVL 10

Assisted Solution

by:budchawla
budchawla earned 250 total points
ID: 20313790
Hi there, to return to your question as feptias suggested,

You need to make your rule more specific if you want it to take precedence over an existing rule... this is how the SonicWALL prioritises rules.
So if you have a specific
ALLOW HTTP from WAN * to LAN x.x.x.x rule then you need to create a corresponding
DENY HTTP from WAN 70.0.0.0-70.254.254.254 to LAN x.x.x.x rule in order for the DENY rule to go higher up the precedence.

You only need to create deny rules for traffic that you otherwise have allow rules for.. generally, the DENY * from WAN * to LAN * will look after the rest.

You can see this by looking at the list of access rules on the firewall.... they are applied in the order you see them, from top to bottom.

If you have an allow rule that matches that traffic (which it will) then it will let that traffic thru, it doesn't matter what subsequent rules say.

I hope that answers your original question.

I'm still not convinced it will actually help much though... what kind of inbound traffic are you trying to block? Web?

"Actually, the fraud does come from those countries as they are testing credit cards, etc" - I don't understand...the fraud may originate anywhere, when dealing with a firewall we are interested in traffic, not anything else... what kind of inbound traffic are you trying to block?
0
 

Author Comment

by:ondrejko1
ID: 25402181
Yes, we are trying to block incoming web traffic.  They are testing credit cards on our site and the IP address they are using is from Africa, Asia, etc.  If we block them completely, they cant get to our checkout form.  Does that make sense?  It is pretty simple.  Yes, of course the can hop IP addresses but the amount of work to do that outweighs and they willl likely go to another site to try and test credit cards.
0
 

Expert Comment

by:Leog21
ID: 26013348
I had a smiliar issue, I was able to fix it by moving the rule up in the priority, basically, it should be the first rule it processes, block these addresses, if not go to the other rules
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now