Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Blocking requests from an IP or country

    Scheduled Pinned Locked Moved Firewalling
    2 Posts 2 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M Offline
      markcrobinson
      last edited by

      An IP from China is trying to hack into my system. I have a Trixbox phone system so need a static IP. I've changed it to "My Ip" in the examples below.
      The Trixbox is behind a 1.2.2 PF Sense Firewall with these settings.

      NAT:
      WAN  UDP 5060 - 5061      Trixbox  (ext.: My IP)    5060 - 5061 
      WAN UDP 10000 - 14000 Trixbox  (ext.: My IP) 10000 - 14000

      WAN RULES:
      UDP  *  *  Trixbox  5060 - 5061  * 
      UDP * * Trixbox 10000 - 20000 *

      The message on the trixbox is
      chan_sip.c: Registration from '"120" <sip:120@my ip="">' failed for '219.118.178.67'
      chan_sip.c: Registration from '"120" <sip:120@my ip="">' failed for '116.255.136.75'

      The IP's are from China. So in WAN rules I set up

      Proto  Source            Port
      *  219.118.178.67  *  *  *  *

      • 116.255.136.75  * * * *

      QUESTION 1 - It did not seem to work. Why? I hit "Apply" and checked to be sure it was done.
      Is it because the NAT takes precedence and the requests are being sent to Trixbox before being filtered?

      QUESTION 2 - In frustration, I rebooted the firewall - suddenly it's working and the attacks are being blocked. Is a reboot required to make a rule like this take effect?

      QUESTION 3 - Can I block everything from attack prone countries. I saw, somewhere, a "bogon" list. Is there a way to implement a filter like this?

      Thanks!</sip:120@my></sip:120@my>

      1 Reply Last reply Reply Quote 0
      • ? This user is from outside of this forum
        Guest
        last edited by

        With Questions 1 and 2, the problem was that you created a rule after a firewall state was already created allowing the traffic.  The rule only affects all new firewall states and doesn't affect existing ones.  Rather than rebooting next time go into the state table (under diagnostics) and either kill all the firewall states, or kill the ones that are offending.  Killing only the offending states is the least intrusive.

        With regards to Question 3, look at the country block list package.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.