Jump to content
BALTAGY

Firewall rule Max ip addresses

Recommended Posts

Hi,

What's the max ip addresses i can use in a single firewall rule ? when i try to block many ip addresses the rule become like this pic and it don't work
Snap2.jpg

When i make the ip addresses number less it work

Not sure if it's a bug ? ESET Internet Security v13.0.24

Share this post


Link to post
Share on other sites

Add a new Firewall Zone. Title it "Blocked IP Addresses" or whatever. Add all your IP addresses there. Then specify this new Zone in the firewall rule and see if that works.

Edited by itman

Share this post


Link to post
Share on other sites
3 minutes ago, itman said:

Add a new Firewall Zone. Title it "Blocked IP Addresses" or whatever. Add all your IP addresses there. Then specify this new Zone in the firewall rule and see if that works.

That's what i did, this pic above from zone rule

Same problem happen as a rule or zone

Edited by BALTAGY

Share this post


Link to post
Share on other sites
1 hour ago, BALTAGY said:

That's what i did, this pic above from zone rule

Same problem happen as a rule or zone

How many IP addresses did you add? There may very well be a limit to the number a firewall rule can handle. This can be simply resolved the splitting the IP addresses in half and creating two firewall rules instead of one.

Edited by itman

Share this post


Link to post
Share on other sites
8 minutes ago, itman said:

How many IP addresses did you add? There may very well be a limit to the number a firewall rule can handle. This can be simply resolved the splitting the IP addresses in half and creating two firewall rules instead of one.

Rule get broken after 942 ips

Share this post


Link to post
Share on other sites
4 minutes ago, BALTAGY said:

Rule get broken after 942 ips

I would say this is a bit excessive. Suggest you sort your IP addresses in ascending order. Then create a range specification for IP addresses in common range; e.g. 201.155.0.0 - 201.155.255.255.

Share this post


Link to post
Share on other sites
13 minutes ago, itman said:

I would say this is a bit excessive. Suggest you sort your IP addresses in ascending order. Then create a range specification for IP addresses in common range; e.g. 201.155.0.0 - 201.155.255.255.

It will take a very long time to do so

What made me want to add this ip list is one of the ips 185.156.177.234 tried to hack me via VNC and ESET blocked it, so i found an ip list https://malwareworld.com/textlists/suspiciousIPs.txt i would like to block

Time;Event;Action;Source;Target;Protocol;Rule/worm name;Application;User
11/12/2019 10:53:58 PM;Security vulnerability exploitation;Blocked;185.156.177.234:1550xxxxxxxxxxxxx;TCP;Botnet.CnC.Generic;C:\Program Files\RealVNC\VNC Server\vncserver.exe;NT AUTHORITY\SYSTEM

 

Edited by BALTAGY

Share this post


Link to post
Share on other sites
2 hours ago, BALTAGY said:

It will take a very long time to do so

Take the malwareworld.com list and strip off the comments creating a new .txt file.

Then open Eset's Web access protection -> URL Address Management -> Address list -> List of blocked address. Click on the Edit tab. Click on the Import tab and select the new file you just previously created. All those IP addresses will be auto created for you. You can also specific if a log entry is to be created for blocked activity and/or to be alerted by Eset when an IP address is blocked. Alternatively, you can create your own blocked address list if you don't want to use the Eset default one.

As far as I am aware of, Eset's Web Access protection monitors anything that connects to the Internet; not just web browsers.

Edited by itman

Share this post


Link to post
Share on other sites
6 minutes ago, itman said:

Take the malwareworld.com list and strip off the comments creating a new .txt file.

Then open Eset's Web access protection -> URL Address Management -> Address list -> List of blocked address. Click on the Edit tab. Click on the Import tab and select the new file you just previously created. All those IP addresses will be auto created for you. You can also specific if a log entry is to be created for blocked activity and/or to be alerted by Eset when an IP address is blocked. Alternatively, you can create your own blocked address list if you don't want to use the Eset default one.

As far as I am aware of, Eset's Web Access protection monitors anything that connects to the Internet; not just web browsers.

Web access only work with URL's not ip's

Share this post


Link to post
Share on other sites
1 hour ago, BALTAGY said:

Web access only work with URL's not ip's

Oops! Forgot about that.

You would think by now Eset would have added like list and import capability to the firewall.

Share this post


Link to post
Share on other sites
Just now, itman said:

Oops! Forgot about that.

You would think by now Eset would have added like list and import capability to the firewall.

Ya, and ability to add a long lists will be great

Share this post


Link to post
Share on other sites
18 hours ago, itman said:

Oops! Forgot about that.

You would think by now Eset would have added like list and import capability to the firewall.

I tried it, worked for me.

Entered all ip's as you instructed above, and it blocked, said; blocked by user list.

Share this post


Link to post
Share on other sites
1 hour ago, SRT said:

I tried it, worked for me.

Entered all ip's as you instructed above, and it blocked, said; blocked by user list.

How did you test?

I suspect if one enters for example https:://xxx.xxx.xxx.xxx, then an IP address block will work. However if you connect via a URL for example https://malwaredomain.com, the block list IP address associated with that URL will not be blocked.

Now a lot of reverse shells deployed by malware do use https:://xxx.xxx.xxx.xxx specification. So creating an IP based list would have some benefit.

Edited by itman

Share this post


Link to post
Share on other sites
2 hours ago, SRT said:

I tried it, worked for me.

Entered all ip's as you instructed above, and it blocked, said; blocked by user list.

It will only block the url, if this IP trying to connect to you by any other way it wont be blocked but if you block it via firewall you can block it completely

Share this post


Link to post
Share on other sites
1 hour ago, itman said:

How did you test?

Copied and paste the ip in the browser.

I noticed it changed to https:://xxx.xxx.xxx.xxx with the https::// in front. Said it was blocked.

So it is only blocked outbound, not inbound?

Share this post


Link to post
Share on other sites
43 minutes ago, SRT said:

So it is only blocked outbound, not inbound?

Correct. Only way to do so inbound is by firewall rule - remote IP address specification.

Edited by itman

Share this post


Link to post
Share on other sites
23 minutes ago, itman said:

Correct. Only was to do so inbound is by firewall rule - remote IP address specification.

I did cut the list in half, made 2 firewall rules, it looks normal now not muddied up like in the screen-shot.

Thanks.

Share this post


Link to post
Share on other sites

The question is the performance impact of having the firewall parse through a 1000 or so IP address?

Share this post


Link to post
Share on other sites
Just now, itman said:

The question is the performance impact of having the firewall parse through a 1000 or so IP address?

The list have 195747 ips 😁

Share this post


Link to post
Share on other sites

My list is not that big, maybe a couple of hundred in each rule (2 rules).

No impact noticeable.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...