Firewall not blocking ip address range despite creating rules for it

Started by guest35930, December 08, 2022, 02:50:50 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 08, 2022, 02:50:50 AM
Hello, i have a problem

basically i have a ip connecting from one of my devices, (it appears in : opnsense panel > reporting > traffic )

created an alias (blockhacker-alias) with the ip range > 200.1.1.1-200.225.225.225 ( want to block every ip set coming from it)

then went to firewall >  rules > wan > lan and created the block ruleset for in and out rules using such alias

also went to firewall > rules > floating (floating does not depends of any interface so you can massively apply any ruleset for any interface using floating rules)

created the block ruleset with the alias i created previously, saved and applied all the rules

and despite of it, the ip 200.1.1.1 (it is a weird ip) still appearing in  opnsense panel reporting > traffic

what can i do to effectively block such ip range? suricata does nothing (the ip connects still)

i need to block it because it is a RAT virus pinging home or stealing data

thank you
December 08, 2022, 03:31:22 AM #1
Can you post screenshots of the logs in question that led you to believe this was an issue and also post screenshots of the rules please.

Thank you!
December 08, 2022, 04:33:03 AM #2
it is an issue because i need to block that ip range (its a virus) and it is not working, somehow the ip is not getting blocked
December 08, 2022, 04:33:57 AM #3
plese help me i am trying to protect me against some bad people
December 08, 2022, 10:52:56 AM #4
screenshots here....


https://imgur.com/a/UGolBcy
December 08, 2022, 11:08:32 AM #5
longstory short, those ip adresses are from my ISP CARRIER, and somehow looks like someone from others ips from the same carrier are connecting to my mobile device...
December 08, 2022, 11:10:36 AM #6
the true ip adresses are in the screenshot, i typed 200.x.x.x as example for security reasons
December 08, 2022, 11:14:30 AM #7
i am not an expert... just trying to help...
December 08, 2022, 02:02:32 PM #8
Your block rules should be the top of your rule set.

Rules are done in order from top to bottom.. block rules should be before accept rules unless the accept rule needs to trigger before a block rule.

I hope that makes sense.
December 11, 2022, 01:47:36 AM #9
all the block rules are on top so they have priority above others...

however should i use the first match? or not?
December 11, 2022, 02:08:33 AM #10
Quote from: slackadelic on December 08, 2022, 02:02:32 PM
Your block rules should be the top of your rule set.

Rules are done in order from top to bottom.. block rules should be before accept rules unless the accept rule needs to trigger before a block rule.

I hope that makes sense.

here are the rules please let me know if i am doing something wrong... thanks

https://imgur.com/a/NUy0IWJ

1: floating rules config
2:rule config detailed (it show subnet mask so it should block all the ip range from 172.0.0.0 to  /32 - > everything the rest

am i wrong? why it is not blocking it?

i am concerned cause the ip is of my same carrier and it is like someone trying to mitm , (hostname says "google video" but there is not google on my country (it is banned) and it is VERY suspicious a local ip from my internet service provider to have that name, implying it is a residential ip and not a legit google....

if someone can help me... ill be thankfull
Print
Go Up Pages1
User actions