03-12-2013 11:25 AM
Riddle me this…
We have issues with malicious traffic coming from Open Proxies, Known Bad Hosts, etc.
Is there such thing as an all IP, Realtime Blacklist for firewalls. There are certain external servers I dont want to be accessible by known bad networks.
I’d love to write a rule like this:
Source = RBL-or-Block-of-BAD-IPs-maintained-by-someone-else Destination=Important Server Action=Drop
And no, I don’t want to buy a million dollar IPS. Isn’t there something in the Linux world called IP Tables.
Justin
03-12-2013 11:36 AM
I'll try to find a firewall specific realtime black list, but funny you should mention this, in PANOS 5.0 Palo Alto added something called "Dynamic Block Lists" that do exactly what you describe.
03-12-2013 11:56 AM
That is cool. I would assume this works with the SpamHaus "DROP" Dont Route or Peer list. For sure and idea whose time has come. I'd also like to put in all TOR endpoints.
03-12-2013 12:12 PM
Here's an example of a block list... SANS' DSHield has a Recommended Block List. I figured the list would be a bit bigger and more comprehensive though honestly:
http://feeds.dshield.org/block.txt
# This list summarized the top 20 attacking class C (/24) subnets # over the last three days. The number of 'attacks' indicates the # number of targets reporting scans from this subnet.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
