[Dshield] Blocking Country Access

Scott Melnick duckie37 at gmail.com
Tue Feb 20 20:38:03 GMT 2007


Pix does not support CIDR's to my knowledge. I don't know if the 7.0
version does or not. But here is what you do. I don't know if your
Sonic wall supports a command line interface or if it's all GUI.

Take the IP Country List you want and put it in a spread sheet
Make a Macro to find and replace all the /CIDR values with their
netmask numbers (or reverse netmask depending on your device).
Example:

x.x.x.x/12
Replace all the /12's with <space> 255.240.0.0
and then you get x.x.x.x 255.240.0.0 on all the lines that have /12
repeat with all the other /CIDR values. That's why you save it as a
macro because you will need to do 10-30 and you don't want to do a
search and replace everytime you update the list over and over again
for 20 different CIDR's.

Create a new colum before that with the syntax of your firewall and
maybe a colum after that as well. Copy and paste the whole thing into
your command interface on your device.
example with 2  new colums say for a PIX blocking smtp to any server
in your network.

Colum A = access-list outside_access_in deny tcp
Colum B = all your IP's plus converted CIDR's
Colum C = any eq 25 (or host <your mail server here>)

Then you get hundreds of lines that look like this.

access-list outside_access_in deny tcp x.x.x.x 255.240.0.0 any eq 25


Good luck.

Scott Melnick


On 2/20/07, Dave Hatz <davehatz at hatzventures.org> wrote:
> Scott,
> That is exactly what I was looking for.  Looks like I have a lot of typing
> to do, our SonicWall is an older model and doesn't support CIDR's.  We are
> looking to upgrade our firewall to a PIX and I was told they do support
> CIDR's.
>
> Thank you very much for your help.
> Dave
>
> -----Original Message-----
> From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
> On Behalf Of Scott Melnick
> Sent: Tuesday, February 20, 2007 10:48 AM
> To: General DShield Discussion List
> Subject: Re: [Dshield] Blocking Country Access
>
> Dave,
>
> This might be what your looking for. You can download any country you need
> from this list. It lists it in 2 ways. The CIDR for China and the IP range.
> Depending on your firewall you may have to put it in a spreadsheet first and
> convert the CIDR numbers into /network numbers. If your firewall takes
> CIDR's then no problem.
>
> Also keep in mind, China doesn't cover Hong Kong, Tawain, etc...
> You'll have to grab the ones for them as well. You also will have to update
> your firewall rules periodically as net numbers change.
>
> http://www.completewhois.com/statistics/data/ips-bycountry/rirstats/
>
>
> Cheers,
> Scott Melnick
>
>
> > -----Original Message-----
> > From: list-bounces at lists.dshield.org [mailto:list-
> > bounces at lists.dshield.org] On Behalf Of Dave Hatz
> > Sent: Tuesday, February 20, 2007 1:09 PM
> > To: 'General DShield Discussion List'
> > Subject: Re: [Dshield] Blocking Country Access
> >
> > Johannes, Frank and Kevin,
> > Thank you all for the responses and links.  I am not a security expert
> by
> > any means, I subscribe to this list to learn from the experts in the
> > industry such as yourselves.  I come from a small shop where I have to
> > wear many different hats, so I apologize up front if these questions
> > are to basic for this list.
> >
> > These country IP lists are extremely detailed.  I was hoping for a
> list of
> > Ips that is more basic.  For example, we are getting hit really hard
> with
> > attacks on our mail server from China.  I would like to go into our
> set of
> > rules on our SonicWall and say, I don't want anything coming into our
> > network from China.  I need to enter the Ips into our access list and
> deny
> > them.  So, I was hoping do something like this, deny all 58.0.0.0
> through
> > 58.255.255.255.  But, in looking at the list of Country Ips, if I do
> > something like that, I could be blocking more than just traffic from
> > China.
> > So my question is, can I put in a IP range that would block of all
> China,
> > and other countries for that matter.
> >
> > Thanks again...
> > Dave Hatz
> >
> > -----Original Message-----
> > From: list-bounces at lists.dshield.org [mailto:list-
> > bounces at lists.dshield.org] On Behalf Of Johannes B. Ullrich
> > Sent: Tuesday, February 20, 2007 9:28 AM
> > To: General DShield Discussion List
> > Subject: Re: [Dshield] Blocking Country Access
> >
> > Dave Hatz wrote:
> > > I am trying to find information on how to block countries from our
> > networks.
> > > I remember seeing lists that contain the IP addresses for the
> countries.
> > > Can someone please point me in the right direction on where I can
> > > obtain a list of the country IP address so we can block them.
> >
> > you can try http://isc.sans.org/countrylookup.txt . Its based on the
> list
> > I
> > use to lookup countries.
> >
> > Not perfect... here is a list of country lookup URLs I keep around.
> Some
> > allow you to download their database:
> >
> > http://www.hostip.info
> > http://www.ip2location.com/free.asp
> > http://www.geobytes.com/GeoSelect.htm
> > http://www.maxmind.com
> > http://ip-to-country.webhosting.info
> >
> >
> >
> > >
> > > Thanks,
> > > Dave Hatz
> > >
> > >
> > > _________________________________________
> > >
> > > SANS 2007 March 29 - April 6 in San Diego, CA offers 52 Courses
> taught
> > > by our top rated instructors plus a huge vendor tools expo.
> > > Register Today! http://www.sans.org/info/2501 (BROCHURECODE: ISC)
> > >
> >
> >
> > --
> > ---------
> > Johannes Ullrich                        http://isc.sans.org
> >
> > SANS 2007 March 29 - April 6 in San Diego, CA offers 52 Courses taught
> by
> > our top rated instructors plus a huge vendor tools expo.
> >       Register Today! <http://www.sans.org/info/2501>
> > (Brochurecode: ISC)
> >
> > PGP Key: https://secure.dshield.org/PGPKEYS
> >
> >
> > _________________________________________
> >
> > SANS 2007 March 29 - April 6 in San Diego, CA offers 52 Courses taught
> > by our top rated instructors plus a huge vendor tools expo.
> > Register Today! http://www.sans.org/info/2501 (BROCHURECODE: ISC)
>
> _________________________________________
>
> SANS 2007 March 29 - April 6 in San Diego, CA offers 52 Courses taught by
> our top rated instructors plus a huge vendor tools expo.
> Register Today! http://www.sans.org/info/2501 (BROCHURECODE: ISC)
>
> _________________________________________
>
> SANS 2007 March 29 - April 6 in San Diego, CA offers 52 Courses
> taught by our top rated instructors plus a huge vendor tools expo.
> Register Today! http://www.sans.org/info/2501 (BROCHURECODE: ISC)
>


More information about the list mailing list