Blocking non-US IPs

A client is trying to implement a solution on how to block foreign IPs (non-US/Canada).  They currently have a Juniper Netscreen firewall, but it does not seem to have any options to do this.
Client has complained couple of times of having a lot of junk packets from Russia, India, China, etc, and since they only conduct business within US and Canada, they would like to block all other traffic.
Is there any practical way of accomplishing this?

Thanks in advance.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

B HCommented:
blocking them from what... exchange?  or their entire network?

i don't think there's a firewall out there that will let you specify the millions of ip addresses out there - or thousands if it allowed netmasks (
JPasicAuthor Commented:
Sorry I forgot to mention that, but they want to block it from accessing their network completely, not just certain services.

At the firewall level it may be just about impossible mate, however a web server can do that without "too much" of a problem to some extent.

The simplest solution would be to have a web server which is the first point of entry to do a reverse lookup on the client and give a message stating access denied to those who are not allowed based on country of origin. This is similar to what many sites including TV sites do to block users from around the world.

However, do note that the bandwidth loss is constant, there will be no change to that. Also note that this will only handle traffic on port 80. And remember that this can be circumvented using a free / commercial proxy server based in the US. Remember, this applies only to HTTP requests and not any other port. Will only be useful if all other ports (besides 25 & 110) are blocked permanently at the firewall.

Simply put, there is no way to do this without blocking out the whole world and manually entering the IP's of the allowed clients only. Thats the only way to "protect" the client.

If bandwidth is not a problem, a good software firewall / antivirus solution at the client PC's should suffice to keep their minds at ease.

Simple Misconfiguration =Network Vulnerability

In this technical webinar, AlgoSec will present several examples of common misconfigurations; including a basic device change, business application connectivity changes, and data center migrations. Learn best practices to protect your business from attack.

JPasicAuthor Commented:

Thanks for the insight.
The main problem is that they're trying to block acceses to the whole network, not just the webserver.  If it were just the webserver, I believe this could have been easily accomplished by using .htaccess to exclude those blocks from accessing.
Sanga CollinsSystems AdminCommented:
Are you allowing these packets into the network?  I hope not since that defaces the purpose of the firewall. What you can do however is create a global deny rule in the juniper to block all incoming traffic. Then specifically allow trusted traffic into your network. You can also disable ping in the interface managemnt services so that your public ip does not respond to echo requests from outside the network.
If you are certain you can achieve the block via a .htaccess (I cannot comment on it), why don't you route everything via the webserver itself? That way you have no issues. From the physical router to the internal subnet, put the webserver in the middle instead of being a part of it via the switch.

However, a bit more intel would be great, mainly :-

  1. How many public IP's are live and need access from the outside world?
  2. What is the actual configuration of the network? As it what services require to be live from the internal network (which ports need to be open to the world?)
  3. What ports do the blanket spamming take place on? Or is it just a port scanner scanning all available ports for security holes?
  4. Are the spammer IP addresses constant? Can you just block those specific ranges in the firewall?
@sangamc - by what I gather the webserver needs to be public, albeit only for north american users, and thus, a blanket ban might not really be possible in this instance.

B HCommented:
the simple fact is, there's millions of infected machines out there doing port scans on billions of ip addresses.  there's thousands of malicious users actively trying to break into things too.

if you have a public ip address, people are going to bang on it trying to get in.

no firewall should be so crappy that it actually slows you down by blocking these attempts - if it does, you need a new firewall.

tripple check the configuration of your firewall, test it, and trust your firewall.  let the foreigners bang on it, it doesn't matter as long as the firewall does its job.

for the services that people need to get TO on your network (email, web, remote desktop, etc) lock them down at the application level if you want... but this is exactly like plugging holes in a crumbling dam.  you're going to spend your whole life adding ip addresses as they change, get allocated to overseas, come back to the states, etc.

your upstream ISP might block the routes at their level if you give them a list of ip ranges, but it's going to be a really, really big list and they'll probably say NO.

change the firewall password so the client cant even see the attempts and tell them everything's fine


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.