Need a firewall appliance with certain abilities

Discussion in 'Networking & Security' started by Barometer, Mar 7, 2019.

  1. Barometer

    Barometer [H]Lite

    Messages:
    88
    Joined:
    Mar 25, 2012
    Hello,
    I'm looking for an additional firewall appliance to go between my current router/firewall and my server. The specific purpose for this firewall appliance is to block the IP addresses of specific countries where hacking attempts and spambots frequently originate and legitimate connections to the server are rare. I know they originate from ALL countries, but some are much worse than others.

    I don't really need advice on why this is a good (or bad) idea, it's what I want to do regardless. I'm just looking for recommendations for a hardware appliance that will do what I need, they way i want it done.

    The ONLY appliances I am aware of at this time that meet my requirements are Watchguard Fireboxes such as the x500, x700 etc.
    They would work, but are large, somewhat noisy and consume a good bit of power. The interface is good however.

    Here are some of the desired properties I am looking for.....

    1). Interface that allows me to conveniently add large numbers of IP address blocks in CIDR format or as Host ranges.
    2). Low power consumption (ie no hard drive needed)
    3). User interface that allows me to see live connections as they are allowed or denied similar to what Watchguard Fireboxes such as the x700 can do.
    4). Quiet

    Here is the visual interface for the Watchguard Firebox. I like this interface. I may end up using another Firebox if there's no other good / better alternatives.


    PS...
    I used to use IPBLOCK software on my server and it was excellent, but apparently on Linux, there is no version that works on the latest Ubuntu versions....to my shock.
     
    Last edited: Mar 11, 2019
  2. schizrade

    schizrade [H]ardness Supreme

    Messages:
    4,668
    Joined:
    Feb 15, 2003
    Is this for a home/lab kind of thing?
     
  3. Farva

    Farva [H]ard as it Gets

    Messages:
    35,098
    Joined:
    Feb 3, 2004
    pfsense with dnsblock?
     
    bbenz33, Barometer and FNtastic like this.
  4. FNtastic

    FNtastic [H]ard|Gawd

    Messages:
    1,324
    Joined:
    Jul 6, 2013
    Definitely pfsense. More specifically, he wants pfblockerng-dev. It already includes the GeoIP information for all countries. Just click them, and enable them. Add more IPs if you want. Block, inbound, outbound, or both directions.
     
    Barometer likes this.
  5. Barometer

    Barometer [H]Lite

    Messages:
    88
    Joined:
    Mar 25, 2012
    Kind of yes and no. Definitely not some kind of high volume situation.
     
  6. Barometer

    Barometer [H]Lite

    Messages:
    88
    Joined:
    Mar 25, 2012
  7. Barometer

    Barometer [H]Lite

    Messages:
    88
    Joined:
    Mar 25, 2012
    Where could I see screen shots of pfsense similar to the image I posted above?
     
  8. schizrade

    schizrade [H]ardness Supreme

    Messages:
    4,668
    Joined:
    Feb 15, 2003
    Ah ok, I got nothing then lol.
     
  9. Barometer

    Barometer [H]Lite

    Messages:
    88
    Joined:
    Mar 25, 2012
    Why? Are firewalls less valuable at a lab or at someones home?

    Are you saying hackers don't bother with home networks or that you don't know anything about this topic?
     
  10. BitMaster

    BitMaster Limp Gawd

    Messages:
    368
    Joined:
    Nov 10, 2016
    Have a look at Rhode & Schwarz appliances. They acquired gateprotect and have their devices listed as UTM. You can download the ISO and use it for 30 days, full featured.

    The 9.6.x versions use the old app based GUI. Version 10.x uses the new web based gui. YOu should be able to block what you need.
     
    Barometer likes this.
  11. Barometer

    Barometer [H]Lite

    Messages:
    88
    Joined:
    Mar 25, 2012
    Your reply was the only one that hasn't been helpful so I was wondering if there;s a problem with what I'm asking?
     
  12. schizrade

    schizrade [H]ardness Supreme

    Messages:
    4,668
    Joined:
    Feb 15, 2003
    I know plenty about the topic, but I was thinking enterprise style gear, so that's why I asked if this was a home/lab setup scenario. So I backed up my post and asked. There i no point discussing what I was going to recommend for a home/lab setup. Won't bother you again.
     
  13. Farva

    Farva [H]ard as it Gets

    Messages:
    35,098
    Joined:
    Feb 3, 2004
    Barometer likes this.
  14. bbenz33

    bbenz33 Limp Gawd

    Messages:
    378
    Joined:
    Dec 8, 2004
    I actually do this using pfSense and know that it works as I tried to VPN from overseas and couldn't.
     
  15. Nicklebon

    Nicklebon Gawd

    Messages:
    549
    Joined:
    May 22, 2006
    Check Point, Fortinet, Junpier, Palo and pretty much every other real firewall does this. Geo blocking isn't rocket science. I've done this for years at home with both Check Point and Fortigate appliances.
     
    NoOther likes this.
  16. MrGuvernment

    MrGuvernment [H]ard as it Gets

    Messages:
    19,148
    Joined:
    Aug 3, 2004
    pfsense. But really all firewasll block by default so your only need is outbound blocking then. As said, PFSense on an APU2 or customer built i3 rig and off you go
     
  17. sMiLeYz

    sMiLeYz Limp Gawd

    Messages:
    335
    Joined:
    Jan 24, 2003
    pfsense with pfBlockerNG package, i use it to block China, Russia, Ukraine ip's with GeoIP feature.
     
  18. BitMaster

    BitMaster Limp Gawd

    Messages:
    368
    Joined:
    Nov 10, 2016
    I think the OP has a service running with opened ports, likely 80 & 443. In order to filter who's allowed to visit it and who not, Geocaching can be used, but it can also easily be fooled if you play around with Client side VPN & Proxy.


    A good start is to block EVERYTHING and then move on with only what you need. For home usage, this is anything but welcome.....ask my family when I switch on my R&S UTM and they get filtered..LoL.
     
    bbenz33 and MrGuvernment like this.
  19. NoOther

    NoOther [H]ardness Supreme

    Messages:
    6,413
    Joined:
    May 14, 2008
    What you are looking for is called Geo Blocking. Many firewalls do this, many routers can also do this. Is this for a personal setup, a small business, or a larger business? What router and firewall do you currently have?

    Also piggybacking off the post above, what specifically is the purpose of the system you are trying to protect?
     
  20. Nicklebon

    Nicklebon Gawd

    Messages:
    549
    Joined:
    May 22, 2006
    Let me add there is no reason for your geo blocking device to be an additional firewall. If you insist on two then the geo blocking should happen first. There is no reason to process a packet you plan on dropping twice.
     
  21. Barometer

    Barometer [H]Lite

    Messages:
    88
    Joined:
    Mar 25, 2012
    Hello,

    The problem with most of the firewalls you mentioned (AFAIK) is that they weren't really designed for loading 5 - 10 million IP addresses into them for blocking. TBH, I'm not knowledgeable with them but I do know the Fireboxes and they choke and get VERY slow after about 1 million IP's loaded.
    It may be a bad assumption. Again, I'm not familiar with other firewalls.
     
    Last edited: Mar 11, 2019
  22. ThreeDee

    ThreeDee [H]ardForum Junkie

    Messages:
    10,591
    Joined:
    Sep 5, 2001
    I used to use same or similar program when I used to run a Smoothwallâ„¢ box for my firewall/UTM ..worked great
     
    Barometer likes this.
  23. rmd3003

    rmd3003 Limp Gawd

    Messages:
    315
    Joined:
    Apr 15, 2005
    Soniwall TZ series (check used on ebay)?

    ken=eyJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJzb25pY3dhbGwiLCJleHAiOjE1ODM4MDMxODEsImlhdCI6MTU1MjI2NzE4MX0.png


    They also have paid option - Geo IP filter to block specific countries.


    ken=eyJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJzb25pY3dhbGwiLCJleHAiOjE1ODM4MDM1MDIsImlhdCI6MTU1MjI2NzUwMn0.png
     
    Barometer likes this.
  24. Barometer

    Barometer [H]Lite

    Messages:
    88
    Joined:
    Mar 25, 2012
    Is there much difference between the TZ and the NSA models ?

    Do either of these allow you to import lists of IP addresses to block or do they require a connection to Sonicwall?

    Is it a bad idea to buy one that's slightly past End of Life?
     
    Last edited: Mar 10, 2019
  25. USMCGrunt

    USMCGrunt 2[H]4U

    Messages:
    3,113
    Joined:
    Mar 19, 2010
  26. FNtastic

    FNtastic [H]ard|Gawd

    Messages:
    1,324
    Joined:
    Jul 6, 2013
    I don't think you understand how the internet works. Or, you grossly misunderstood the OP's ask. Either way, cloudflare is not the right solution. VERY far from the right solution.
     
  27. USMCGrunt

    USMCGrunt 2[H]4U

    Messages:
    3,113
    Joined:
    Mar 19, 2010
    I very much understand how the internet works, lol. He has public services exposed to the outside and is trying to protect his perimeter. I'm making an assumption that he's got a domain registered. Redirect his domain registrar nameservers to CloudFlare, then configure his router to only accept incoming requests for those services from CloudFlare's IP range. This pushes his perimeter for those exposed services out to CF and allows him to perform geo-blocking. CloudFlare's log API would also allow him to pull connectivity data as well if he desires it.

    Edit: This satisfies 1-2, and 4. The logging API is 5 minutes behind realtime, at best. This also only works for 80/443 and then becomes not free to cover the remaining 65k ports and services. Though I would be curious to know what they'd charge for Spectrum for home use levels of bandwidth.

    Still....its not "VERY far" from a solution.
     
    Last edited: Mar 11, 2019
  28. FNtastic

    FNtastic [H]ard|Gawd

    Messages:
    1,324
    Joined:
    Jul 6, 2013
    Nah. Because cloudflare only helps when accessing via the domain name. When they hit the IP directly, it completely bypasses anything cloudflare does. It should be considered useless when it comes to securing a network/server. OP would still need to do everything he originally intended to do from the firewall side. It'd be double the work. And, that's assuming OP is using a domain name and is only wanting to accept traffic over port 80/443...
     
  29. NoOther

    NoOther [H]ardness Supreme

    Messages:
    6,413
    Joined:
    May 14, 2008
    I am confused, why did you come here looking for advice when you are now saying you have a perfect solution? Also, how can you make that claim when you also say you don't have experience with anything else? You tag my post, but I mentioned no specific firewalls at all, just that there were many that could do what you are asking about. I am not sure what you mean by "loading 5-10 million IP addresses into them for blocking". Loading IP addresses is the least taxing portion, it is a simple list. I believe what you mean is they may lack the hardware/programming to adequately process all the various things you want to do with the firewall. Again, it is hard to make any suggestions without knowing what this is actually for.

    I mean are you here for actual advice, or just to shill IPBLOCK?
     
    Nicklebon likes this.
  30. Barometer

    Barometer [H]Lite

    Messages:
    88
    Joined:
    Mar 25, 2012
    So is there nothing available today that resembles IPBLOCK, PEERBLOCK, IPLIST or PEERGUARDIAN, ALL of which were software firewalls that allowed you to make an external list of IP ranges you wanted to block (unlimited numbers) and then import that list back into the software?

    I use a Linux server btw.
    Agreed.

    Since the reply was to your question, and obviously it confused you.....I edited it.
    Thanks anyway
     
    Last edited: Mar 11, 2019
  31. NoOther

    NoOther [H]ardness Supreme

    Messages:
    6,413
    Joined:
    May 14, 2008
    I read the posts, which is why I am confused. Your reply to my post makes zero sense, note I didn't mention any specific firewalls at all, yet you said the ones I suggested won't work. You then say you don't have experience with many others. So it literally makes no sense.

    The real problem is you still haven't addressed the questions people asked about what you are trying to accomplish or what the environment is. It is hard to give you recommendations when you don't explain what you are trying to protect, what kind of network traffic/bandwidth you have, or what the budget is.
     
  32. Barometer

    Barometer [H]Lite

    Messages:
    88
    Joined:
    Mar 25, 2012
    Fair enough. Sounds like we may have a communications problem. Probably my fault.
    I gave the information to the best of my ability in the OP. Perhaps not good enough. Perhaps confusing. I understand.

    Still, many of the replies have been helpful, so all is not lost.
     
  33. NoOther

    NoOther [H]ardness Supreme

    Messages:
    6,413
    Joined:
    May 14, 2008
    Yes, we are all trying to help, but in offering specific recommendations it helps to know what it is for, as some suggestions may be too pricey or have too few other options to aid in what you are ultimately trying to do.

    For instance, is this for a home setup? Are you providing some service outside of your home? Is this for a small business? Is this for a large business? How much traffic do you have coming in/out of your network? What applications/ports/protocols are you hosting? Who are your users that are accessing the network? etc. etc.
     
  34. boss6021

    boss6021 Limp Gawd

    Messages:
    335
    Joined:
    Oct 11, 2006
    Yes, the TZ series is for home to small business depending on use case. The NSA models are designed for small business to large business depending on use case.

    You can add custom addresses (either individual or entire subnets).

    What model are you looking at?
     
  35. Barometer

    Barometer [H]Lite

    Messages:
    88
    Joined:
    Mar 25, 2012
    Hello,
    Either the TZ 200, 300, 400 series or the NSA 220, 240 series.
    One of my concerns with either is that if I bought a used "end of life" unit, would it be locked in some way because from my research, you have to "activate" it before use. I have no account with Sonicwall.

    It's primarily for a small business.
     
  36. Barometer

    Barometer [H]Lite

    Messages:
    88
    Joined:
    Mar 25, 2012
    An "FYI" for anyone considering purchasing a Sonicwall TZ 200 series router.......

    I just got off the phone with Sonicwall and they confirmed that the TZ series firewalls have no ability to Import IP lists such as a text file list containing IPs you wish to block for example......

    China: 212.000.000.000 - 212.555.555.555

    instead, the only way you can block entire countries with the Sonicwall TZ 210 series is to use the Geo-blocking feature, which requires a purchased annual license and that costs around $750.00 per year .
     
  37. FNtastic

    FNtastic [H]ard|Gawd

    Messages:
    1,324
    Joined:
    Jul 6, 2013
    Pfsense with pfblockerng-dev. It's free.
     
  38. Rifter0876

    Rifter0876 [H]Lite

    Messages:
    100
    Joined:
    Nov 1, 2017
    starting to sound like a broken record in here but Pfsense with pfblockerng-dev.
     
    extide likes this.
  39. boss6021

    boss6021 Limp Gawd

    Messages:
    335
    Joined:
    Oct 11, 2006
    I personally can't recommend a Pfsense firewall without a support contract of some sort for a business.

    I would recommend either the TZ 300 or TZ 400 as they are newer appliances and will have more longevity. Current price for a year of licensing for security services is $166. I'm not sure why you would need to have a list of GEO-IPs when most are already present within the Sonicwall, and are as easy as a click to add. We use these extensively, and works great for us. Let me know if you have any further questions, and I or others would be happy to answer them.
     
    Barometer likes this.
  40. Meeho

    Meeho [H]ardness Supreme

    Messages:
    4,188
    Joined:
    Aug 16, 2010
    Agree with most here. Pfsense makes most...sense.
     
Tags: