Link to home
Start Free TrialLog in
Avatar of ondrejko1
ondrejko1

asked on

SonicWall Pro 2040 Adding Rule, Need Help Blocking entire IP net block

I have a sonicwall pro 2040 and I need to block entire netblocks, specifically asia, south africa, etc.. where fraud is biggest.

So, we wanted to block this IP address 77.0.1.25 and all others in the 77.0 range.

i have added a rule with an address begin of 77.0.0.0 and a range end of 77.255.255.255

both source and destination i left as * to block all.

Any idea why this is not working?
Avatar of Member_2_1968385
Member_2_1968385
Flag of United Kingdom of Great Britain and Northern Ireland image

Is it enhanced or standard SonicOS?
By default, all traffic is blocked from WAN to LAN and from WAN to DMZ, so you must have added a rule some time earlier that is allowing certain traffic. What type of service is it?  A web site?

How can your new blocking rule have both a range of IP addresses as the source and also have * as the source? I'm confused.
Avatar of ondrejko1
ondrejko1

ASKER

It is standard.  
it is not * as source.. the source for the rule is * and the destination is *   and we chose deny for all services.. bascially we want any ipaddress in the range of 77.0.0.0 and  77.255.255.255 to be blocked.

Does this make sense?

Thanks,
Yes, it makes sense when I look at StandardOS - I was looking at EnhancedOS.

It has a table of entries. I suggest you set them like this:

                       Ethernet           Address Range Begin            Address Range End
Source:               WAN                     77.0.0.0                            77.255.255.255
Destination:        LAN                       *

You could set the Destination address range to cover the range of your LAN, e.g. 192.168.x.x

Are you completely sure you have set Action = Deny?
Yep, absolutely sure.  I will set the source to WAN and see if that makes a difference.  
I think it will make a difference because it will move the rule to a higher priority. Rules are executed in order of priority. Once a matching rule is found it uses that rule and ignores the rest. Any rule with * for the source and destination zones will be given lowest priority. You need your blocking rule to be at a higher priority than the rule that allows other Internet users access to your service.
By default the SonicWALLs have a rule that is a DENY * from WAN to LAN. Apart from any custom rules you configure that allow certain types of traffic, this default rule will already do what you want.

Maybe the question here is, WHAT are you actually trying to block?

Blocking inbound traffic from an IP range doesn't stop fraud. Fraud doesn't normally happen over direct inbound connections from Africa! Fraud generally starts in emails. Good solutions to this are good spam filters & user education.

If you're using an ISP for email, then you can't even block inbound email traffic based on it's source because it'll all come from your ISP. Even you're getting mail directly (into Exchange etc) then fraudulent emails can't just be blocked based on source IP because they come from all over the world.
If only it was that easy! :-)

The next step for harvesting info is usually websites that pretend to be something they're not, and even these are hosted all over the world, so blocking a range of IPs would have a negligible effect, if any.

So again, WHAT are you trying to block?
Actually, the fraud does come from those countries as they are testing credit cards, etc.. spam is not the issue.  It is blocking traffic that originates over there.. we have set up the rules in IIS but it is too resource intensive on the machine so we want to add to the firewall.
ASKER CERTIFIED SOLUTION
Avatar of Member_2_1968385
Member_2_1968385
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I will let you know as soon as I find out if it is working.  thx.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Yes, we are trying to block incoming web traffic.  They are testing credit cards on our site and the IP address they are using is from Africa, Asia, etc.  If we block them completely, they cant get to our checkout form.  Does that make sense?  It is pretty simple.  Yes, of course the can hop IP addresses but the amount of work to do that outweighs and they willl likely go to another site to try and test credit cards.
I had a smiliar issue, I was able to fix it by moving the rule up in the priority, basically, it should be the first rule it processes, block these addresses, if not go to the other rules