Geoblocking the Whole World (Blocked Sites)

I have both an M200 and M300 and am trying to import a CIDR list of the entire world besides a few countries. This text file is 13MB in size.

However, when doing this, the browser will time out before the Firebox will start processing the entries. I've tried 6 different browsers across 3 platforms and none will successfully upload the import text file. :(

Our goal is to block any IPs originating outside the country that we're in to avoid attacks. Any assistance appreciated.

Comments

  • 1) use the WG Geolocation feature
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/services/geo/geo_about_c.html
    2) use Policy Manager to do this, not the Web UI

  • Thank you as always Bruce. :)

    Unfortunately, we have to run an older version of Fireware to support some legacy equipment, so this feature is not available. Hence the manual block list. Any ideas on how to get it to work?

  • Have you tried using Policy Manager???

  • And what XTM version are you using?

  • I don't use policy manager, just the web ui. It's 11.10.4.B490278.

  • Obviously it does not work using the Web UI.
    It may work using Policy Manager, which is the only other option that I can suggest.

    Also notice this, from the latest Help:
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/intrusionprevention/blocked _sites_external_list_c.html

    For Fireboxes that run Fireware v11.12 or higher, the auto-block list can include a maximum of 1,000 IP addresses for T Series models and 8,000 IP addresses for M Series models. For Fireboxes that run lower versions of Fireware, the auto-block limit can include a maximum of 1,000 IP addresses for all Firebox models.

  • That 1000 limit might be the issue. I'll check the file and limit it and see what happens.

    If this is the case, what other methods could you think of that would end up with the same effect? A firewall rule perhaps?

  • I'm sure that there is a limit to the size of an Alias list too. No idea what the limit it.
    Perhaps multiple Aliases....

    Any reason that you need to block all of these IP subnets?

  • How would I use an Alias list? Set up the Alias with all the blocked IPs and then exclude that? Or another way?

    I'm just tired of seeing the the attempted exploits in traffic monitor from around the globe. It's sad that the government just doesn't stop this traffic as it has no legitimate reason to even be here 99% of the time. I know it won't eliminate the spoofers and whatnot, but it sure will stop the 'trying to find open doors/incorrect settings' people.

  • Any packet filter From: alias name(s) To: Any
    Set the the policy to Denied, and have the policy at the top of the policy list

    Get the 1st 1000 IP subnet & add that to your Blocked Sites list.
    Then with the remainder, set up 1 or more aliases.

    As an alternative, you can add entries to Blocked Ports to block external access via them:
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/intrusionprevention/block_ports_use_c.html

    I have a few policies which block incoming access to selected ports & the IP addrs end up on the temp blocked sites list. Examples are SSH & Telnet. Mostly I have these for amusement as these would be blocked anyway, but these do also stop port scanners for a while. Using the policy method I can easily see why the IP addrs are on the Blocked Sites list in FSM or the Web UI

  • Thank you! I'll check it out when I get a chance. :)

    As you mentioned the ports are already blocked, but it would be nice for them to get onto the blocked sites list automatically. Hmmm...in fact I have an idea--can I simply put all the ports we don't use on the blocked port list and have the firebox automatically add bad IPs to the blocked sites list? It's more work for the firebox than I would like as I'd rather those packets never even get past the external interface, but would be a nice setup.

    One other thing I was thinking was to put in a range of IPs for the entire Internet in Blocked Sites and have my country whitelisted--but I'm not sure how large that whitelist would be. Another thing to try?

    Thank you for the great ideas and suggestions.

  • "It's more work for the firebox than I would like as I'd rather those packets never even get past the external interface"

    If you have a user created policy blocking incoming packets or you use a WG facility - such as Blocked Sites or Blocked Ports, the load is not significantly different.

    Q. can I simply put all the ports we don't use on the blocked port list and have the firebox automatically add bad IPs to the blocked sites list?
    A. yes - that is an option on the Blocked Ports page

    No idea about the length of the US or whatever country you want to allow subnet list.
    I use Geolocation, so I don't need to even think about another solution.

    What is the legacy equipment issue?

  • Good to know. Ah yes, I just saw that nice little checkbox--sounds like a fun option to enable and watch. :)

    Geolocation sounds pretty nice. It's good to see it as an option. :)

    I wouldn't want to post it publicly, but feel free to message me. :)

    Yep, our current project will hopefully finish in the next year or so (we've been saying this for years now though. :() Once it does, I hardly think we'll need this type of routing power--as if we really need it now, lol. It's truly amazing how powerful the equipment you have is when you can't even stress the cpu no matter what you throw at it. :smiley:

  • I did this in the days before the Geolocation feature and I had to use the CLI and I had to break the list into chunks or the Firebox (I don't remember which model) would choke to death on the import. Import a chunk, save, import more.

    Gregg Hill

  • To be clear, when I did it, I was just using the IPs on the DROP list (https://www.spamhaus.org/drop), and not "the whole world."

    Gregg Hill

  • An easier way is to have an allow list so only those networking addresses that matched your country AND those needed to sustain life on the WatchGuard and the server environment are added to the Alias.. It will be a MUCH smaller list than the "rest of the world" To work, you have this policy with the Alias above another any-trusted to any-external policy that is sent to deny.

    Adrian from Australia

  • Also note that various things are hosted in different countries.
    I recently had a Microsoft access denied because the IP addr was in Hong Kong.
    Google hosts a bunch of things in Ireland.
    So you will probably need to undo your specific blocks or add additional allowed IP addrs to address these unexpected sites hosted in other countries.

  • @Greggmh123 said:
    To be clear, when I did it, I was just using the IPs on the DROP list (https://www.spamhaus.org/drop), and not "the whole world."

    Gotcha. Thank you for the detailed information. I haven't tried to feed the firebox smaller chunks, but will try that as well.

  • @xxup said:
    An easier way is to have an allow list so only those networking addresses that matched your country AND those needed to sustain life on the WatchGuard and the server environment are added to the Alias.. It will be a MUCH smaller list than the "rest of the world" To work, you have this policy with the Alias above another any-trusted to any-external policy that is sent to deny.

    Interesting. I think I'm understanding the concept, but would you mind giving an example so I know I've got it?

  • Create 1 or more aliases with the IP subnets that you want to allow.
    Then on your incoming policies - From: your aliases
    Access from IP addrs not in your aliases will be denied as an unhandled external packet.

  • Thank you! Seems quite easy. :)

Sign In to comment.