Blocking requests from an IP or country

  • An IP from China is trying to hack into my system. I have a Trixbox phone system so need a static IP. I've changed it to "My Ip" in the examples below.
    The Trixbox is behind a 1.2.2 PF Sense Firewall with these settings.

    WAN  UDP 5060 - 5061      Trixbox  (ext.: My IP)    5060 - 5061 
    WAN UDP 10000 - 14000 Trixbox  (ext.: My IP) 10000 - 14000

    UDP  *  *  Trixbox  5060 - 5061  * 
    UDP * * Trixbox 10000 - 20000 *

    The message on the trixbox is
    chan_sip.c: Registration from '"120" <sip:120@my ip="">' failed for ''
    chan_sip.c: Registration from '"120" <sip:120@my ip="">' failed for ''

    The IP's are from China. So in WAN rules I set up

    Proto  Source            Port
    *  *  *  *  *

    •  * * * *

    QUESTION 1 - It did not seem to work. Why? I hit "Apply" and checked to be sure it was done.
    Is it because the NAT takes precedence and the requests are being sent to Trixbox before being filtered?

    QUESTION 2 - In frustration, I rebooted the firewall - suddenly it's working and the attacks are being blocked. Is a reboot required to make a rule like this take effect?

    QUESTION 3 - Can I block everything from attack prone countries. I saw, somewhere, a "bogon" list. Is there a way to implement a filter like this?


  • With Questions 1 and 2, the problem was that you created a rule after a firewall state was already created allowing the traffic.  The rule only affects all new firewall states and doesn't affect existing ones.  Rather than rebooting next time go into the state table (under diagnostics) and either kill all the firewall states, or kill the ones that are offending.  Killing only the offending states is the least intrusive.

    With regards to Question 3, look at the country block list package.

Log in to reply