Hi there, do services mentionend above really block all incoming connections, including connections forwarded to the DMZ?
Just because I see logs like these:
02:01:00 BLKLST_BLOCKLIST_DE red0 TCP 87.120.113.56 50120 my.internal.dmz.ip 443
02:01:00 DNAT red0 TCP 87.120.113.56 50120 my.external.i.p 443
In the web server access logs there is no corresponding entry but I am sure I have seen recently that somehow a connection to the web server is being established before it is dropped again.
I read this recently
I would say it is now behind the IPS system.
This is correct. The order has recently changed.
Now it is:
IPS > IP Blocklists > Location > Firewall rules.
Hope this helps!
Thanks,
A G
So, eg Location Block does not only DROP_INPUT but also DROP_FORWARD?
In other words, there‘s no need for a specific country whitelist firewall rule for RED to ORANGE in case of Location Block is enabled?
Thank you for clarifying.
Hi Martin,
Yes, the Location Block applies to both the INPUT and FORWARD chains. So, if the Location Block is enabled, traffic from blocked countries will be dropped in both the INPUT (traffic directed to the firewall itself) and FORWARD (traffic passing through the firewall to internal networks, like RED to ORANGE) chains.
Although, if you use firewall rules in combination with location groups, you can tailor this to your liking.
Thanks,
A G