Blocking requests from an IP or country
An IP from China is trying to hack into my system. I have a Trixbox phone system so need a static IP. I've changed it to "My Ip" in the examples below.
The Trixbox is behind a 1.2.2 PF Sense Firewall with these settings.
WAN UDP 5060 - 5061 Trixbox (ext.: My IP) 5060 - 5061
WAN UDP 10000 - 14000 Trixbox (ext.: My IP) 10000 - 14000
UDP * * Trixbox 5060 - 5061 *
UDP * * Trixbox 10000 - 20000 *
The message on the trixbox is
chan_sip.c: Registration from '"120" <sip:120@my ip="">' failed for '18.104.22.168'
chan_sip.c: Registration from '"120" <sip:120@my ip="">' failed for '22.214.171.124'
The IP's are from China. So in WAN rules I set up
Proto Source Port
* 126.96.36.199 * * * *
- 188.8.131.52 * * * *
QUESTION 1 - It did not seem to work. Why? I hit "Apply" and checked to be sure it was done.
Is it because the NAT takes precedence and the requests are being sent to Trixbox before being filtered?
QUESTION 2 - In frustration, I rebooted the firewall - suddenly it's working and the attacks are being blocked. Is a reboot required to make a rule like this take effect?
QUESTION 3 - Can I block everything from attack prone countries. I saw, somewhere, a "bogon" list. Is there a way to implement a filter like this?
With Questions 1 and 2, the problem was that you created a rule after a firewall state was already created allowing the traffic. The rule only affects all new firewall states and doesn't affect existing ones. Rather than rebooting next time go into the state table (under diagnostics) and either kill all the firewall states, or kill the ones that are offending. Killing only the offending states is the least intrusive.
With regards to Question 3, look at the country block list package.