Hello, i have a problem
basically i have a ip connecting from one of my devices, (it appears in : opnsense panel > reporting > traffic )
created an alias (blockhacker-alias) with the ip range > 200.1.1.1-200.225.225.225 ( want to block every ip set coming from it)
then went to firewall > rules > wan > lan and created the block ruleset for in and out rules using such alias
also went to firewall > rules > floating (floating does not depends of any interface so you can massively apply any ruleset for any interface using floating rules)
created the block ruleset with the alias i created previously, saved and applied all the rules
and despite of it, the ip 200.1.1.1 (it is a weird ip) still appearing in opnsense panel reporting > traffic
what can i do to effectively block such ip range? suricata does nothing (the ip connects still)
i need to block it because it is a RAT virus pinging home or stealing data
thank you
SCREENSHOTS HERE:
https://imgur.com/a/UGolBcy
I wonder what range you really want to capture with the expression 200.1.1.1-200.225.225.225?
All addresses starting with 200 are either 200.0.0.0/24 as a network definition or 200.0.0.0-200.255.255.255 as an IP range. I'm not quite sure what OPNsense will make out of yours.
HTH,
Patrick
longstory short, those ip adresses are from my ISP CARRIER, and somehow looks like someone from others ips from the same carrier are connecting to my mobile device...
the true ip adresses are in the screenshot, i typed 200.x.x.x as example for security reasons
but yes the range is /24
As the docs states, 200.1.1.1-200.225.225.225 should work for HOSTS, but maybe not for NETWORKS.
You also should kill states after applying deny rules.
Again: what is 172.1.1.1 - 172.224.224.224 supposed to achieve? That is not how IP addressing works.
172.0.0.0-172.255.255.255 or 172.0.0.0/8
Quote from: pmhausen on December 08, 2022, 11:42:38 AM
Again: what is 172.1.1.1 - 172.224.224.224 supposed to achieve? That is not how IP addressing works.
172.0.0.0-172.255.255.255 or 172.0.0.0/8
im newbie... googled a lot... youtubed a lot... found nothing, i am just trying to apply the range... from 172.0.0.0 to all the ip so i can kick those remote administration tools....
Quote from: tiermutter on December 08, 2022, 11:16:14 AM
As the docs states, 200.1.1.1-200.225.225.225 should work for HOSTS, but maybe not for NETWORKS.
You also should kill states after applying deny rules.
here are the rules please let me know if i am doing something wrong... thanks
https://imgur.com/a/NUy0IWJ
1: floating rules config
2:rule config detailed (it show subnet mask so it should block all the ip range from 172.0.0.0 to /32 - > everything the rest
am i wrong? why it is not blocking it?
i am concerned cause the ip is of my same carrier and it is like someone trying to mitm , (hostname says "google video" but there is not google on my country (it is banned) and it is VERY suspicious a local ip from my internet service provider to have that name, implying it is a residential ip and not a legit google....