Need a firewall appliance with certain abilities

Barometer

Limp Gawd
Joined
Mar 25, 2012
Messages
155
Hello,
I'm looking for an additional firewall appliance to go between my current router/firewall and my server. The specific purpose for this firewall appliance is to block the IP addresses of specific countries where hacking attempts and spambots frequently originate and legitimate connections to the server are rare. I know they originate from ALL countries, but some are much worse than others.

I don't really need advice on why this is a good (or bad) idea, it's what I want to do regardless. I'm just looking for recommendations for a hardware appliance that will do what I need, they way i want it done.

The ONLY appliances I am aware of at this time that meet my requirements are Watchguard Fireboxes such as the x500, x700 etc.
They would work, but are large, somewhat noisy and consume a good bit of power. The interface is good however.

Here are some of the desired properties I am looking for.....

1). Interface that allows me to conveniently add large numbers of IP address blocks in CIDR format or as Host ranges.
2). Low power consumption (ie no hard drive needed)
3). User interface that allows me to see live connections as they are allowed or denied similar to what Watchguard Fireboxes such as the x700 can do.
4). Quiet

Here is the visual interface for the Watchguard Firebox. I like this interface. I may end up using another Firebox if there's no other good / better alternatives.


PS...
I used to use IPBLOCK software on my server and it was excellent, but apparently on Linux, there is no version that works on the latest Ubuntu versions....to my shock.
 
Last edited:

FNtastic

[H]ard|Gawd
Joined
Jul 6, 2013
Messages
1,419
pfsense with dnsblock?
Definitely pfsense. More specifically, he wants pfblockerng-dev. It already includes the GeoIP information for all countries. Just click them, and enable them. Add more IPs if you want. Block, inbound, outbound, or both directions.
 

Barometer

Limp Gawd
Joined
Mar 25, 2012
Messages
155
Where could I see screen shots of pfsense similar to the image I posted above?
 

BitMaster

Limp Gawd
Joined
Nov 10, 2016
Messages
367
Have a look at Rhode & Schwarz appliances. They acquired gateprotect and have their devices listed as UTM. You can download the ISO and use it for 30 days, full featured.

The 9.6.x versions use the old app based GUI. Version 10.x uses the new web based gui. YOu should be able to block what you need.
 

schizrade

Supreme [H]ardness
Joined
Feb 15, 2003
Messages
4,821
Why? Are firewalls less valuable at a lab or at someones home?

Are you saying hackers don't bother with home networks or that you don't know anything about this topic?
I know plenty about the topic, but I was thinking enterprise style gear, so that's why I asked if this was a home/lab setup scenario. So I backed up my post and asked. There i no point discussing what I was going to recommend for a home/lab setup. Won't bother you again.
 

Farva

Shens!
Joined
Feb 3, 2004
Messages
35,812

bbenz33

Limp Gawd
Joined
Dec 8, 2004
Messages
382
I actually do this using pfSense and know that it works as I tried to VPN from overseas and couldn't.
 

Nicklebon

Gawd
Joined
May 22, 2006
Messages
640
Check Point, Fortinet, Junpier, Palo and pretty much every other real firewall does this. Geo blocking isn't rocket science. I've done this for years at home with both Check Point and Fortigate appliances.
 

MrGuvernment

Fully [H]
Joined
Aug 3, 2004
Messages
19,276
pfsense. But really all firewasll block by default so your only need is outbound blocking then. As said, PFSense on an APU2 or customer built i3 rig and off you go
 

sMiLeYz

Limp Gawd
Joined
Jan 24, 2003
Messages
383
pfsense with pfBlockerNG package, i use it to block China, Russia, Ukraine ip's with GeoIP feature.
 

BitMaster

Limp Gawd
Joined
Nov 10, 2016
Messages
367
pfsense. But really all firewasll block by default so your only need is outbound blocking then. As said, PFSense on an APU2 or customer built i3 rig and off you go
I think the OP has a service running with opened ports, likely 80 & 443. In order to filter who's allowed to visit it and who not, Geocaching can be used, but it can also easily be fooled if you play around with Client side VPN & Proxy.


A good start is to block EVERYTHING and then move on with only what you need. For home usage, this is anything but welcome.....ask my family when I switch on my R&S UTM and they get filtered..LoL.
 

NoOther

Supreme [H]ardness
Joined
May 14, 2008
Messages
6,477
Hello,
I'm looking for an additional firewall appliance to go between my current router/firewall and my server. The specific purpose for this firewall appliance is to block the IP addresses of specific countries where hacking attempts and spambots frequently originate and legitimate connections to the server are rare. I know they originate from ALL countries, but some are much worse than others.
What you are looking for is called Geo Blocking. Many firewalls do this, many routers can also do this. Is this for a personal setup, a small business, or a larger business? What router and firewall do you currently have?

Also piggybacking off the post above, what specifically is the purpose of the system you are trying to protect?
 

Nicklebon

Gawd
Joined
May 22, 2006
Messages
640
Let me add there is no reason for your geo blocking device to be an additional firewall. If you insist on two then the geo blocking should happen first. There is no reason to process a packet you plan on dropping twice.
 

Barometer

Limp Gawd
Joined
Mar 25, 2012
Messages
155
What you are looking for is called Geo Blocking. Many firewalls do this, many routers can also do this. Is this for a personal setup, a small business, or a larger business? What router and firewall do you currently have?

Also piggybacking off the post above, what specifically is the purpose of the system you are trying to protect?
Hello,

The problem with most of the firewalls you mentioned (AFAIK) is that they weren't really designed for loading 5 - 10 million IP addresses into them for blocking. TBH, I'm not knowledgeable with them but I do know the Fireboxes and they choke and get VERY slow after about 1 million IP's loaded.
It may be a bad assumption. Again, I'm not familiar with other firewalls.
 
Last edited:

ThreeDee

[H]F Junkie
Joined
Sep 5, 2001
Messages
10,733
Hello,

The problem with most of the firewalls you mentioned (AFAIK) is that they weren't really designed for loading 5 - 10 million IP addresses into them for blocking. TBH, I'm not knowledgeable with them but I do know the Fireboxes and they choke and get VERY slow after about 1 million IP's loaded.
It may be a bad assumption. Again, I'm not familiar with other firewalls.

let me give you the scenario that (up until recently) worked perfectly for me.

Ubuntu Server, Apache2.4 and a fantastic program called IPBLOCK.
with IPBLOCK, I was able to create plain text lists of IP's I gathered from various sources that contained EVERY IP address for any chosen country. I could very easily upload that entire file into IPBLOCK and instantly, every IP I wanted blocked was blocked.
This is all INCOMING traffic. I have an awful lot of nefarious jabs at my server. Literally thousands per day, which is common for servers exposed to the Internet. There is for all intents and purposes, no need whatsoever for incoming requests from outside my home country. In fact, the vast majority of the nefarious requests come from outside my home country.
So as a means of limiting my servers exposure, blocking them all and only allowing connections from my home country works well FOR ME. I am well aware of the use of proxies and have a system to filter the vast majority of proxies through the use of services that maintain updated lists of proxies.

In my searching, I have not found any firewall solutions as comprehensive, customizable, effective and easy to use as IPBLOCK. (again, probably because I'm not familiar with enough firewall brands)

Ok, with all that said......

IPBLOCK was hands down the best way to do what I wanted to do but I recently upgraded my server to a newer version of Ubuntu server and to my dismay, IPBLOCK does not run on the new version. (I have a hard time understanding this)

I have all usual security on the server such as F2B and Modsec, and all unnecessary ports locked down, but I don't even want certain traffic reaching the server at all.

After struggling with Watchguard Fireboxes all weekend and getting nowhere.....I'm coming to believe that building my own Router/Firewall from a spare computer might be the way to go. maybe the only way.

Even an older Ubuntu System with no job but to run IPBLOCK and filter out traffic right before the server. If it could dual purpose as my router, that would be great.

Thanks for enduring that long post.
I used to use same or similar program when I used to run a Smoothwall™ box for my firewall/UTM ..worked great
 

rmd3003

Limp Gawd
Joined
Apr 15, 2005
Messages
329
Soniwall TZ series (check used on ebay)?

ken=eyJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJzb25pY3dhbGwiLCJleHAiOjE1ODM4MDMxODEsImlhdCI6MTU1MjI2NzE4MX0.png



They also have paid option - Geo IP filter to block specific countries.


ken=eyJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJzb25pY3dhbGwiLCJleHAiOjE1ODM4MDM1MDIsImlhdCI6MTU1MjI2NzUwMn0.png
 

Barometer

Limp Gawd
Joined
Mar 25, 2012
Messages
155
Is there much difference between the TZ and the NSA models ?

Do either of these allow you to import lists of IP addresses to block or do they require a connection to Sonicwall?

Is it a bad idea to buy one that's slightly past End of Life?
 
Last edited:

USMCGrunt

2[H]4U
Joined
Mar 19, 2010
Messages
3,113
I don't think you understand how the internet works. Or, you grossly misunderstood the OP's ask. Either way, cloudflare is not the right solution. VERY far from the right solution.
I very much understand how the internet works, lol. He has public services exposed to the outside and is trying to protect his perimeter. I'm making an assumption that he's got a domain registered. Redirect his domain registrar nameservers to CloudFlare, then configure his router to only accept incoming requests for those services from CloudFlare's IP range. This pushes his perimeter for those exposed services out to CF and allows him to perform geo-blocking. CloudFlare's log API would also allow him to pull connectivity data as well if he desires it.

Edit: This satisfies 1-2, and 4. The logging API is 5 minutes behind realtime, at best. This also only works for 80/443 and then becomes not free to cover the remaining 65k ports and services. Though I would be curious to know what they'd charge for Spectrum for home use levels of bandwidth.

Still....its not "VERY far" from a solution.
 
Last edited:

FNtastic

[H]ard|Gawd
Joined
Jul 6, 2013
Messages
1,419
I very much understand how the internet works, lol. He has public services exposed to the outside and is trying to protect his perimeter. I'm making an assumption that he's got a domain registered. Redirect his domain registrar nameservers to CloudFlare, then configure his router to only accept incoming requests for those services from CloudFlare's IP range. This pushes his perimeter for those exposed services out to CF and allows him to perform geo-blocking. CloudFlare's log API would also allow him to pull connectivity data as well if he desires it.

Edit: This satisfies 1-2, and 4. The logging API is 5 minutes behind realtime, at best. This also only works for 80/443 and then becomes not free to cover the remaining 65k ports and services. Though I would be curious to know what they'd charge for Spectrum for home use levels of bandwidth.

Still....its not "VERY far" from a solution.
Nah. Because cloudflare only helps when accessing via the domain name. When they hit the IP directly, it completely bypasses anything cloudflare does. It should be considered useless when it comes to securing a network/server. OP would still need to do everything he originally intended to do from the firewall side. It'd be double the work. And, that's assuming OP is using a domain name and is only wanting to accept traffic over port 80/443...
 

NoOther

Supreme [H]ardness
Joined
May 14, 2008
Messages
6,477
Hello,

The problem with most of the firewalls you mentioned (AFAIK) is that they weren't really designed for loading 5 - 10 million IP addresses into them for blocking. TBH, I'm not knowledgeable with them but I do know the Fireboxes and they choke and get VERY slow after about 1 million IP's loaded.
It may be a bad assumption. Again, I'm not familiar with other firewalls.

let me give you the scenario that (up until recently) worked perfectly for me.

Ubuntu Server, Apache2.4 and a fantastic program called IPBLOCK.
with IPBLOCK, I was able to create plain text lists of IP's I gathered from various sources that contained EVERY IP address for any chosen country. I could very easily upload that entire file into IPBLOCK and instantly, every IP I wanted blocked was blocked.
This is all INCOMING traffic. I have an awful lot of nefarious jabs at my server. Literally thousands per day, which is common for servers exposed to the Internet. There is for all intents and purposes, no need whatsoever for incoming requests from outside my home country. In fact, the vast majority of the nefarious requests come from outside my home country.
So as a means of limiting my servers exposure, blocking them all and only allowing connections from my home country works well FOR ME. I am well aware of the use of proxies and have a system to filter the vast majority of proxies through the use of services that maintain updated lists of proxies.

In my searching, I have not found any firewall solutions as comprehensive, customizable, effective and easy to use as IPBLOCK. (again, probably because I'm not familiar with enough firewall brands)

Ok, with all that said......

IPBLOCK was hands down the best way to do what I wanted to do but I recently upgraded my server to a newer version of Ubuntu server and to my dismay, IPBLOCK does not run on the new version. (I have a hard time understanding this)

I have all usual security on the server such as F2B and Modsec, and all unnecessary ports locked down, but I don't even want certain traffic reaching the server at all.

After struggling with Watchguard Fireboxes all weekend and getting nowhere.....I'm coming to believe that building my own Router/Firewall from a spare computer might be the way to go. maybe the only way.

Even an older Ubuntu System with no job but to run IPBLOCK and filter out traffic right before the server. If it could dual purpose as my router, that would be great.

Thanks for enduring that long post.
I am confused, why did you come here looking for advice when you are now saying you have a perfect solution? Also, how can you make that claim when you also say you don't have experience with anything else? You tag my post, but I mentioned no specific firewalls at all, just that there were many that could do what you are asking about. I am not sure what you mean by "loading 5-10 million IP addresses into them for blocking". Loading IP addresses is the least taxing portion, it is a simple list. I believe what you mean is they may lack the hardware/programming to adequately process all the various things you want to do with the firewall. Again, it is hard to make any suggestions without knowing what this is actually for.

I mean are you here for actual advice, or just to shill IPBLOCK?
 

Barometer

Limp Gawd
Joined
Mar 25, 2012
Messages
155
So is there nothing available today that resembles IPBLOCK, PEERBLOCK, IPLIST or PEERGUARDIAN, ALL of which were software firewalls that allowed you to make an external list of IP ranges you wanted to block (unlimited numbers) and then import that list back into the software?

I use a Linux server btw.
I am confused,
Agreed.

Since the reply was to your question, and obviously it confused you.....I edited it.
Thanks anyway
 
Last edited:

NoOther

Supreme [H]ardness
Joined
May 14, 2008
Messages
6,477
Not sure what you're talking about.

I said I "HAD" a perfect solution. Please read the posts. Thanks
I read the posts, which is why I am confused. Your reply to my post makes zero sense, note I didn't mention any specific firewalls at all, yet you said the ones I suggested won't work. You then say you don't have experience with many others. So it literally makes no sense.

The real problem is you still haven't addressed the questions people asked about what you are trying to accomplish or what the environment is. It is hard to give you recommendations when you don't explain what you are trying to protect, what kind of network traffic/bandwidth you have, or what the budget is.
 

Barometer

Limp Gawd
Joined
Mar 25, 2012
Messages
155
I read the posts, which is why I am confused. Your reply to my post makes zero sense, note I didn't mention any specific firewalls at all, yet you said the ones I suggested won't work. You then say you don't have experience with many others. So it literally makes no sense.

The real problem is you still haven't addressed the questions people asked about what you are trying to accomplish or what the environment is. It is hard to give you recommendations when you don't explain what you are trying to protect, what kind of network traffic/bandwidth you have, or what the budget is.
Fair enough. Sounds like we may have a communications problem. Probably my fault.
I gave the information to the best of my ability in the OP. Perhaps not good enough. Perhaps confusing. I understand.

Still, many of the replies have been helpful, so all is not lost.
 

NoOther

Supreme [H]ardness
Joined
May 14, 2008
Messages
6,477
Fair enough. Sounds like we may have a communications problem. Probably my fault.
I gave the information to the best of my ability in the OP. Perhaps not good enough. Perhaps confusing. I understand.

Still, many of the replies have been helpful, so all is not lost.
Yes, we are all trying to help, but in offering specific recommendations it helps to know what it is for, as some suggestions may be too pricey or have too few other options to aid in what you are ultimately trying to do.

For instance, is this for a home setup? Are you providing some service outside of your home? Is this for a small business? Is this for a large business? How much traffic do you have coming in/out of your network? What applications/ports/protocols are you hosting? Who are your users that are accessing the network? etc. etc.
 

boss6021

Limp Gawd
Joined
Oct 11, 2006
Messages
354
Is there much difference between the TZ and the NSA models ?

Do either of these allow you to import lists of IP addresses to block or do they require a connection to Sonicwall?

Is it a bad idea to buy one that's slightly past End of Life?
Yes, the TZ series is for home to small business depending on use case. The NSA models are designed for small business to large business depending on use case.

You can add custom addresses (either individual or entire subnets).

What model are you looking at?
 

Barometer

Limp Gawd
Joined
Mar 25, 2012
Messages
155
Yes, the TZ series is for home to small business depending on use case. The NSA models are designed for small business to large business depending on use case.

You can add custom addresses (either individual or entire subnets).

What model are you looking at?
Hello,
Either the TZ 200, 300, 400 series or the NSA 220, 240 series.
One of my concerns with either is that if I bought a used "end of life" unit, would it be locked in some way because from my research, you have to "activate" it before use. I have no account with Sonicwall.

It's primarily for a small business.
 

Barometer

Limp Gawd
Joined
Mar 25, 2012
Messages
155
An "FYI" for anyone considering purchasing a Sonicwall TZ 200 series router.......

I just got off the phone with Sonicwall and they confirmed that the TZ series firewalls have no ability to Import IP lists such as a text file list containing IPs you wish to block for example......

China: 212.000.000.000 - 212.555.555.555

instead, the only way you can block entire countries with the Sonicwall TZ 210 series is to use the Geo-blocking feature, which requires a purchased annual license and that costs around $750.00 per year .
 

FNtastic

[H]ard|Gawd
Joined
Jul 6, 2013
Messages
1,419
An "FYI" for anyone considering purchasing a Sonicwall TZ 200 series router.......

I just got off the phone with Sonicwall and they confirmed that the TZ series firewalls have no ability to Import IP lists such as a text file list containing IPs you wish to block for example......

China: 212.000.000.000 - 212.555.555.555

instead, the only way you can block entire countries with the Sonicwall TZ 210 series is to use the Geo-blocking feature, which requires a purchased annual license and that costs around $750.00 per year .
Pfsense with pfblockerng-dev. It's free.
 

boss6021

Limp Gawd
Joined
Oct 11, 2006
Messages
354
Hello,
Either the TZ 200, 300, 400 series or the NSA 220, 240 series.
One of my concerns with either is that if I bought a used "end of life" unit, would it be locked in some way because from my research, you have to "activate" it before use. I have no account with Sonicwall.

It's primarily for a small business.
I personally can't recommend a Pfsense firewall without a support contract of some sort for a business.

I would recommend either the TZ 300 or TZ 400 as they are newer appliances and will have more longevity. Current price for a year of licensing for security services is $166. I'm not sure why you would need to have a list of GEO-IPs when most are already present within the Sonicwall, and are as easy as a click to add. We use these extensively, and works great for us. Let me know if you have any further questions, and I or others would be happy to answer them.
 
Tags
firewall
Top