Jump to content

Firewall rule Max ip addresses


Recommended Posts

  • ESET Insiders

Hi,

What's the max ip addresses i can use in a single firewall rule ? when i try to block many ip addresses the rule become like this pic and it don't work
Snap2.jpg

When i make the ip addresses number less it work

Not sure if it's a bug ? ESET Internet Security v13.0.24

Link to comment
Share on other sites

Add a new Firewall Zone. Title it "Blocked IP Addresses" or whatever. Add all your IP addresses there. Then specify this new Zone in the firewall rule and see if that works.

Edited by itman
Link to comment
Share on other sites

  • ESET Insiders
3 minutes ago, itman said:

Add a new Firewall Zone. Title it "Blocked IP Addresses" or whatever. Add all your IP addresses there. Then specify this new Zone in the firewall rule and see if that works.

That's what i did, this pic above from zone rule

Same problem happen as a rule or zone

Edited by BALTAGY
Link to comment
Share on other sites

1 hour ago, BALTAGY said:

That's what i did, this pic above from zone rule

Same problem happen as a rule or zone

How many IP addresses did you add? There may very well be a limit to the number a firewall rule can handle. This can be simply resolved the splitting the IP addresses in half and creating two firewall rules instead of one.

Edited by itman
Link to comment
Share on other sites

  • ESET Insiders
8 minutes ago, itman said:

How many IP addresses did you add? There may very well be a limit to the number a firewall rule can handle. This can be simply resolved the splitting the IP addresses in half and creating two firewall rules instead of one.

Rule get broken after 942 ips

Link to comment
Share on other sites

4 minutes ago, BALTAGY said:

Rule get broken after 942 ips

I would say this is a bit excessive. Suggest you sort your IP addresses in ascending order. Then create a range specification for IP addresses in common range; e.g. 201.155.0.0 - 201.155.255.255.

Link to comment
Share on other sites

  • ESET Insiders
13 minutes ago, itman said:

I would say this is a bit excessive. Suggest you sort your IP addresses in ascending order. Then create a range specification for IP addresses in common range; e.g. 201.155.0.0 - 201.155.255.255.

It will take a very long time to do so

What made me want to add this ip list is one of the ips 185.156.177.234 tried to hack me via VNC and ESET blocked it, so i found an ip list https://malwareworld.com/textlists/suspiciousIPs.txt i would like to block

Time;Event;Action;Source;Target;Protocol;Rule/worm name;Application;User
11/12/2019 10:53:58 PM;Security vulnerability exploitation;Blocked;185.156.177.234:1550xxxxxxxxxxxxx;TCP;Botnet.CnC.Generic;C:\Program Files\RealVNC\VNC Server\vncserver.exe;NT AUTHORITY\SYSTEM

 

Edited by BALTAGY
Link to comment
Share on other sites

2 hours ago, BALTAGY said:

It will take a very long time to do so

Take the malwareworld.com list and strip off the comments creating a new .txt file.

Then open Eset's Web access protection -> URL Address Management -> Address list -> List of blocked address. Click on the Edit tab. Click on the Import tab and select the new file you just previously created. All those IP addresses will be auto created for you. You can also specific if a log entry is to be created for blocked activity and/or to be alerted by Eset when an IP address is blocked. Alternatively, you can create your own blocked address list if you don't want to use the Eset default one.

As far as I am aware of, Eset's Web Access protection monitors anything that connects to the Internet; not just web browsers.

Edited by itman
Link to comment
Share on other sites

  • ESET Insiders
6 minutes ago, itman said:

Take the malwareworld.com list and strip off the comments creating a new .txt file.

Then open Eset's Web access protection -> URL Address Management -> Address list -> List of blocked address. Click on the Edit tab. Click on the Import tab and select the new file you just previously created. All those IP addresses will be auto created for you. You can also specific if a log entry is to be created for blocked activity and/or to be alerted by Eset when an IP address is blocked. Alternatively, you can create your own blocked address list if you don't want to use the Eset default one.

As far as I am aware of, Eset's Web Access protection monitors anything that connects to the Internet; not just web browsers.

Web access only work with URL's not ip's

Link to comment
Share on other sites

1 hour ago, BALTAGY said:

Web access only work with URL's not ip's

Oops! Forgot about that.

You would think by now Eset would have added like list and import capability to the firewall.

Link to comment
Share on other sites

  • ESET Insiders
Just now, itman said:

Oops! Forgot about that.

You would think by now Eset would have added like list and import capability to the firewall.

Ya, and ability to add a long lists will be great

Link to comment
Share on other sites

18 hours ago, itman said:

Oops! Forgot about that.

You would think by now Eset would have added like list and import capability to the firewall.

I tried it, worked for me.

Entered all ip's as you instructed above, and it blocked, said; blocked by user list.

Link to comment
Share on other sites

1 hour ago, SRT said:

I tried it, worked for me.

Entered all ip's as you instructed above, and it blocked, said; blocked by user list.

How did you test?

I suspect if one enters for example https:://xxx.xxx.xxx.xxx, then an IP address block will work. However if you connect via a URL for example https://malwaredomain.com, the block list IP address associated with that URL will not be blocked.

Now a lot of reverse shells deployed by malware do use https:://xxx.xxx.xxx.xxx specification. So creating an IP based list would have some benefit.

Edited by itman
Link to comment
Share on other sites

  • ESET Insiders
2 hours ago, SRT said:

I tried it, worked for me.

Entered all ip's as you instructed above, and it blocked, said; blocked by user list.

It will only block the url, if this IP trying to connect to you by any other way it wont be blocked but if you block it via firewall you can block it completely

Link to comment
Share on other sites

1 hour ago, itman said:

How did you test?

Copied and paste the ip in the browser.

I noticed it changed to https:://xxx.xxx.xxx.xxx with the https::// in front. Said it was blocked.

So it is only blocked outbound, not inbound?

Link to comment
Share on other sites

43 minutes ago, SRT said:

So it is only blocked outbound, not inbound?

Correct. Only way to do so inbound is by firewall rule - remote IP address specification.

Edited by itman
Link to comment
Share on other sites

23 minutes ago, itman said:

Correct. Only was to do so inbound is by firewall rule - remote IP address specification.

I did cut the list in half, made 2 firewall rules, it looks normal now not muddied up like in the screen-shot.

Thanks.

Link to comment
Share on other sites

  • ESET Insiders
Just now, itman said:

The question is the performance impact of having the firewall parse through a 1000 or so IP address?

The list have 195747 ips 😁

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...