Firewall rule Max ip addresses

[BALTAGY 32]

Hi,

What's the max ip addresses i can use in a single firewall rule ? when i try to block many ip addresses the rule become like this pic and it don't work


When i make the ip addresses number less it work

Not sure if it's a bug ? ESET Internet Security v13.0.24

[itman 1,659]

Add a new Firewall Zone. Title it "Blocked IP Addresses" or whatever. Add all your IP addresses there. Then specify this new Zone in the firewall rule and see if that works.

Edited December 14, 2019 by itman

[BALTAGY 32]

3 minutes ago, itman said:

Add a new Firewall Zone. Title it "Blocked IP Addresses" or whatever. Add all your IP addresses there. Then specify this new Zone in the firewall rule and see if that works.

That's what i did, this pic above from zone rule

Same problem happen as a rule or zone

Edited December 14, 2019 by BALTAGY

[SRT 1]

Looks funny, but did show it was blocking.

[itman 1,659]

1 hour ago, BALTAGY said:

That's what i did, this pic above from zone rule

Same problem happen as a rule or zone

How many IP addresses did you add? There may very well be a limit to the number a firewall rule can handle. This can be simply resolved the splitting the IP addresses in half and creating two firewall rules instead of one.

Edited December 14, 2019 by itman

[BALTAGY 32]

8 minutes ago, itman said:

How many IP addresses did you add? There may very well be a limit to the number a firewall rule can handle. This can be simply resolved the splitting the IP addresses in half and creating two firewall rules instead of one.

Rule get broken after 942 ips

[itman 1,659]

4 minutes ago, BALTAGY said:

Rule get broken after 942 ips

I would say this is a bit excessive. Suggest you sort your IP addresses in ascending order. Then create a range specification for IP addresses in common range; e.g. 201.155.0.0 - 201.155.255.255.

[BALTAGY 32]

13 minutes ago, itman said:

I would say this is a bit excessive. Suggest you sort your IP addresses in ascending order. Then create a range specification for IP addresses in common range; e.g. 201.155.0.0 - 201.155.255.255.

It will take a very long time to do so

What made me want to add this ip list is one of the ips 185.156.177.234 tried to hack me via VNC and ESET blocked it, so i found an ip list https://malwareworld.com/textlists/suspiciousIPs.txt i would like to block

Time;Event;Action;Source;Target;Protocol;Rule/worm name;Application;User
11/12/2019 10:53:58 PM;Security vulnerability exploitation;Blocked;185.156.177.234:1550xxxxxxxxxxxxx;TCP;Botnet.CnC.Generic;C:\Program Files\RealVNC\VNC Server\vncserver.exe;NT AUTHORITY\SYSTEM

 

Edited December 14, 2019 by BALTAGY

[itman 1,659]

2 hours ago, BALTAGY said:

It will take a very long time to do so

Take the malwareworld.com list and strip off the comments creating a new .txt file.

Then open Eset's Web access protection -> URL Address Management -> Address list -> List of blocked address. Click on the Edit tab. Click on the Import tab and select the new file you just previously created. All those IP addresses will be auto created for you. You can also specific if a log entry is to be created for blocked activity and/or to be alerted by Eset when an IP address is blocked. Alternatively, you can create your own blocked address list if you don't want to use the Eset default one.

As far as I am aware of, Eset's Web Access protection monitors anything that connects to the Internet; not just web browsers.

Edited December 14, 2019 by itman

[BALTAGY 32]

6 minutes ago, itman said:

Take the malwareworld.com list and strip off the comments creating a new .txt file.

Then open Eset's Web access protection -> URL Address Management -> Address list -> List of blocked address. Click on the Edit tab. Click on the Import tab and select the new file you just previously created. All those IP addresses will be auto created for you. You can also specific if a log entry is to be created for blocked activity and/or to be alerted by Eset when an IP address is blocked. Alternatively, you can create your own blocked address list if you don't want to use the Eset default one.

As far as I am aware of, Eset's Web Access protection monitors anything that connects to the Internet; not just web browsers.

Web access only work with URL's not ip's

[itman 1,659]

1 hour ago, BALTAGY said:

Web access only work with URL's not ip's

Oops! Forgot about that.

You would think by now Eset would have added like list and import capability to the firewall.

[BALTAGY 32]

Just now, itman said:

Oops! Forgot about that.

You would think by now Eset would have added like list and import capability to the firewall.

Ya, and ability to add a long lists will be great

[SRT 1]

18 hours ago, itman said:

Oops! Forgot about that.

You would think by now Eset would have added like list and import capability to the firewall.

I tried it, worked for me.

Entered all ip's as you instructed above, and it blocked, said; blocked by user list.

[itman 1,659]

1 hour ago, SRT said:

I tried it, worked for me.

Entered all ip's as you instructed above, and it blocked, said; blocked by user list.

How did you test?

I suspect if one enters for example https:://xxx.xxx.xxx.xxx, then an IP address block will work. However if you connect via a URL for example https://malwaredomain.com, the block list IP address associated with that URL will not be blocked.

Now a lot of reverse shells deployed by malware do use https:://xxx.xxx.xxx.xxx specification. So creating an IP based list would have some benefit.

Edited December 15, 2019 by itman

[BALTAGY 32]

2 hours ago, SRT said:

I tried it, worked for me.

Entered all ip's as you instructed above, and it blocked, said; blocked by user list.

It will only block the url, if this IP trying to connect to you by any other way it wont be blocked but if you block it via firewall you can block it completely

[SRT 1]

1 hour ago, itman said:

How did you test?

Copied and paste the ip in the browser.

I noticed it changed to https:://xxx.xxx.xxx.xxx with the https::// in front. Said it was blocked.

So it is only blocked outbound, not inbound?

[itman 1,659]

43 minutes ago, SRT said:

So it is only blocked outbound, not inbound?

Correct. Only way to do so inbound is by firewall rule - remote IP address specification.

Edited December 15, 2019 by itman

[SRT 1]

23 minutes ago, itman said:

Correct. Only was to do so inbound is by firewall rule - remote IP address specification.

I did cut the list in half, made 2 firewall rules, it looks normal now not muddied up like in the screen-shot.

Thanks.

[itman 1,659]

The question is the performance impact of having the firewall parse through a 1000 or so IP address?

[BALTAGY 32]

Just now, itman said:

The question is the performance impact of having the firewall parse through a 1000 or so IP address?

The list have 195747 ips 😁

[SRT 1]

My list is not that big, maybe a couple of hundred in each rule (2 rules).

No impact noticeable.