ESET Insiders BALTAGY 32 Posted December 14, 2019 ESET Insiders Share Posted December 14, 2019 Hi, What's the max ip addresses i can use in a single firewall rule ? when i try to block many ip addresses the rule become like this pic and it don't work When i make the ip addresses number less it work Not sure if it's a bug ? ESET Internet Security v13.0.24 Link to comment Share on other sites More sharing options...
itman 1,541 Posted December 14, 2019 Share Posted December 14, 2019 (edited) Add a new Firewall Zone. Title it "Blocked IP Addresses" or whatever. Add all your IP addresses there. Then specify this new Zone in the firewall rule and see if that works. Edited December 14, 2019 by itman Link to comment Share on other sites More sharing options...
ESET Insiders BALTAGY 32 Posted December 14, 2019 Author ESET Insiders Share Posted December 14, 2019 (edited) 3 minutes ago, itman said: Add a new Firewall Zone. Title it "Blocked IP Addresses" or whatever. Add all your IP addresses there. Then specify this new Zone in the firewall rule and see if that works. That's what i did, this pic above from zone rule Same problem happen as a rule or zone Edited December 14, 2019 by BALTAGY Link to comment Share on other sites More sharing options...
SRT 1 Posted December 14, 2019 Share Posted December 14, 2019 Looks funny, but did show it was blocking. Link to comment Share on other sites More sharing options...
itman 1,541 Posted December 14, 2019 Share Posted December 14, 2019 (edited) 1 hour ago, BALTAGY said: That's what i did, this pic above from zone rule Same problem happen as a rule or zone How many IP addresses did you add? There may very well be a limit to the number a firewall rule can handle. This can be simply resolved the splitting the IP addresses in half and creating two firewall rules instead of one. Edited December 14, 2019 by itman Link to comment Share on other sites More sharing options...
ESET Insiders BALTAGY 32 Posted December 14, 2019 Author ESET Insiders Share Posted December 14, 2019 8 minutes ago, itman said: How many IP addresses did you add? There may very well be a limit to the number a firewall rule can handle. This can be simply resolved the splitting the IP addresses in half and creating two firewall rules instead of one. Rule get broken after 942 ips Link to comment Share on other sites More sharing options...
itman 1,541 Posted December 14, 2019 Share Posted December 14, 2019 4 minutes ago, BALTAGY said: Rule get broken after 942 ips I would say this is a bit excessive. Suggest you sort your IP addresses in ascending order. Then create a range specification for IP addresses in common range; e.g. 201.155.0.0 - 201.155.255.255. Link to comment Share on other sites More sharing options...
ESET Insiders BALTAGY 32 Posted December 14, 2019 Author ESET Insiders Share Posted December 14, 2019 (edited) 13 minutes ago, itman said: I would say this is a bit excessive. Suggest you sort your IP addresses in ascending order. Then create a range specification for IP addresses in common range; e.g. 201.155.0.0 - 201.155.255.255. It will take a very long time to do so What made me want to add this ip list is one of the ips 185.156.177.234 tried to hack me via VNC and ESET blocked it, so i found an ip list https://malwareworld.com/textlists/suspiciousIPs.txt i would like to block Time;Event;Action;Source;Target;Protocol;Rule/worm name;Application;User 11/12/2019 10:53:58 PM;Security vulnerability exploitation;Blocked;185.156.177.234:1550xxxxxxxxxxxxx;TCP;Botnet.CnC.Generic;C:\Program Files\RealVNC\VNC Server\vncserver.exe;NT AUTHORITY\SYSTEM Edited December 14, 2019 by BALTAGY Link to comment Share on other sites More sharing options...
itman 1,541 Posted December 14, 2019 Share Posted December 14, 2019 (edited) 2 hours ago, BALTAGY said: It will take a very long time to do so Take the malwareworld.com list and strip off the comments creating a new .txt file. Then open Eset's Web access protection -> URL Address Management -> Address list -> List of blocked address. Click on the Edit tab. Click on the Import tab and select the new file you just previously created. All those IP addresses will be auto created for you. You can also specific if a log entry is to be created for blocked activity and/or to be alerted by Eset when an IP address is blocked. Alternatively, you can create your own blocked address list if you don't want to use the Eset default one. As far as I am aware of, Eset's Web Access protection monitors anything that connects to the Internet; not just web browsers. Edited December 14, 2019 by itman Link to comment Share on other sites More sharing options...
ESET Insiders BALTAGY 32 Posted December 14, 2019 Author ESET Insiders Share Posted December 14, 2019 6 minutes ago, itman said: Take the malwareworld.com list and strip off the comments creating a new .txt file. Then open Eset's Web access protection -> URL Address Management -> Address list -> List of blocked address. Click on the Edit tab. Click on the Import tab and select the new file you just previously created. All those IP addresses will be auto created for you. You can also specific if a log entry is to be created for blocked activity and/or to be alerted by Eset when an IP address is blocked. Alternatively, you can create your own blocked address list if you don't want to use the Eset default one. As far as I am aware of, Eset's Web Access protection monitors anything that connects to the Internet; not just web browsers. Web access only work with URL's not ip's Link to comment Share on other sites More sharing options...
itman 1,541 Posted December 14, 2019 Share Posted December 14, 2019 1 hour ago, BALTAGY said: Web access only work with URL's not ip's Oops! Forgot about that. You would think by now Eset would have added like list and import capability to the firewall. Link to comment Share on other sites More sharing options...
ESET Insiders BALTAGY 32 Posted December 14, 2019 Author ESET Insiders Share Posted December 14, 2019 Just now, itman said: Oops! Forgot about that. You would think by now Eset would have added like list and import capability to the firewall. Ya, and ability to add a long lists will be great Link to comment Share on other sites More sharing options...
SRT 1 Posted December 15, 2019 Share Posted December 15, 2019 18 hours ago, itman said: Oops! Forgot about that. You would think by now Eset would have added like list and import capability to the firewall. I tried it, worked for me. Entered all ip's as you instructed above, and it blocked, said; blocked by user list. Link to comment Share on other sites More sharing options...
itman 1,541 Posted December 15, 2019 Share Posted December 15, 2019 (edited) 1 hour ago, SRT said: I tried it, worked for me. Entered all ip's as you instructed above, and it blocked, said; blocked by user list. How did you test? I suspect if one enters for example https:://xxx.xxx.xxx.xxx, then an IP address block will work. However if you connect via a URL for example https://malwaredomain.com, the block list IP address associated with that URL will not be blocked. Now a lot of reverse shells deployed by malware do use https:://xxx.xxx.xxx.xxx specification. So creating an IP based list would have some benefit. Edited December 15, 2019 by itman Link to comment Share on other sites More sharing options...
ESET Insiders BALTAGY 32 Posted December 15, 2019 Author ESET Insiders Share Posted December 15, 2019 2 hours ago, SRT said: I tried it, worked for me. Entered all ip's as you instructed above, and it blocked, said; blocked by user list. It will only block the url, if this IP trying to connect to you by any other way it wont be blocked but if you block it via firewall you can block it completely Link to comment Share on other sites More sharing options...
SRT 1 Posted December 15, 2019 Share Posted December 15, 2019 1 hour ago, itman said: How did you test? Copied and paste the ip in the browser. I noticed it changed to https:://xxx.xxx.xxx.xxx with the https::// in front. Said it was blocked. So it is only blocked outbound, not inbound? Link to comment Share on other sites More sharing options...
itman 1,541 Posted December 15, 2019 Share Posted December 15, 2019 (edited) 43 minutes ago, SRT said: So it is only blocked outbound, not inbound? Correct. Only way to do so inbound is by firewall rule - remote IP address specification. Edited December 15, 2019 by itman Link to comment Share on other sites More sharing options...
SRT 1 Posted December 15, 2019 Share Posted December 15, 2019 23 minutes ago, itman said: Correct. Only was to do so inbound is by firewall rule - remote IP address specification. I did cut the list in half, made 2 firewall rules, it looks normal now not muddied up like in the screen-shot. Thanks. Link to comment Share on other sites More sharing options...
itman 1,541 Posted December 15, 2019 Share Posted December 15, 2019 The question is the performance impact of having the firewall parse through a 1000 or so IP address? Link to comment Share on other sites More sharing options...
ESET Insiders BALTAGY 32 Posted December 15, 2019 Author ESET Insiders Share Posted December 15, 2019 Just now, itman said: The question is the performance impact of having the firewall parse through a 1000 or so IP address? The list have 195747 ips 😁 Link to comment Share on other sites More sharing options...
SRT 1 Posted December 15, 2019 Share Posted December 15, 2019 My list is not that big, maybe a couple of hundred in each rule (2 rules). No impact noticeable. Link to comment Share on other sites More sharing options...
Recommended Posts