Gene Weeg
asked on
Block unnecessary traffic by counrty
I would like to block traffic that comes to our public facing IP by country. I have recently been inundated by unnecessary traffic from Russia and North Korea. Is there a device out there that can elevate the pain by unwanted traffic knocking on my front door. Looking at blocking by country if at all possible.
Attached is my simpleIMG_7536.jpg topology.
Attached is my simpleIMG_7536.jpg topology.
Last Comment
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Okay, I do allow SMTP inbound before I block everything else that isn't my country. One could argue that you should block Russian and North Korean mail anyway. ;-)
ASKER
If I went with the z4w Untangle appliance would that sit outside my Cisco RV340 or replace it?
A firewall could conceivably be in front of, behind, or replace the RV340. Kind of depends on what the RV340 is going.
Firewalls replaced my routers.
Firewalls replaced my routers.
ASKER
I love the Untangle solution and it seems to give me some bang for my buck but I would do a disservice if I didn't ask if there were others comparable options that any of you have also tried?
SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
On the Untangle z4 Plus what is the difference between:
My only concern from what I saw looking at it is the throughput net speed.
My only concern from what I saw looking at it is the throughput net speed.
| Firewall Throughput | 950 Mbps |
| NGFW Throughput** | 500 Mbps |
Take an older PC ready to be replaced with something newer. Install two identical network cards in the machine. Load any kind of linux - Debian is my favorite. Install xtables-addons and then subscribe to a geoIP blocking list.
Then for an "accept" setup:
For a "reject" setup, change the IANA country code as necessary, change RETURN to REJECT, and fall through at the end instead of rejecting. The disadvantage of a "reject" setup is that there are so many country codes that are undesirable, and the list goes on and on.
Note that more rules are required to select the incoming interface and forward the traffic from interface A to interface B. This is an illustration, not a working example.
I consider this to be much easier to maintain than a special-purpose firewall / router.
Then for an "accept" setup:
# RULES BEGIN ==================================== ========
# ==== CA -- Canada
$iptloc -t filter -A $chname -p tcp -m geoip --src-cc CA -j RETURN
# ==== GB - Great Britain
$iptloc -t filter -A $chname -p tcp -m geoip --src-cc GB -j RETURN
# ==== US -- USA
$iptloc -t filter -A $chname -p tcp -m geoip --src-cc US -j RETURN
# If here, no accept was matched. Reject the packet.
$iptloc -t filter -A $chname -j REJECT
# RULES END ==================================== ========
For a "reject" setup, change the IANA country code as necessary, change RETURN to REJECT, and fall through at the end instead of rejecting. The disadvantage of a "reject" setup is that there are so many country codes that are undesirable, and the list goes on and on.
Note that more rules are required to select the incoming interface and forward the traffic from interface A to interface B. This is an illustration, not a working example.
I consider this to be much easier to maintain than a special-purpose firewall / router.
That said you will have to trust the data supplier about what country has the the GEO location of an endpoint.
I happen to have an address that was 2 years ago belonging to a CZ based hoster. Other customers from the SAME ISP complain with various provieders of services (Sonos f.e.) that still things the address belongs to CZ or even Dubai where it is clearly NL. which is advertised by the ISP as such. (and actively persued as af as possible).
Be sure you get up to date databases or database services, address/ranges DO migrate accross borders. (and may be even advertised in different parts then they are actually used VPN anyone?).
I happen to have an address that was 2 years ago belonging to a CZ based hoster. Other customers from the SAME ISP complain with various provieders of services (Sonos f.e.) that still things the address belongs to CZ or even Dubai where it is clearly NL. which is advertised by the ISP as such. (and actively persued as af as possible).
Be sure you get up to date databases or database services, address/ranges DO migrate accross borders. (and may be even advertised in different parts then they are actually used VPN anyone?).
Networking
Networking is the process of connecting computing devices, peripherals and terminals together through a system that uses wiring, cabling or radio waves that enable their users to communicate, share information and interact over distances. Often associated are issues regarding operating systems, hardware and equipment, cloud and virtual networking, protocols, architecture, storage and management.
102K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
I actually permit only my country, and block everything else by default.