Results 1 to 8 of 8
  1. #1
    Master Untangler
    Join Date
    Apr 2010
    Posts
    109

    Default Firewall improvements - Geoblocking

    Will Untangle firewall ever get a proper geo-blocking like on many other firewalls (Sonicwall, pfSense etc)? There have been several cases where I have had a need to quickly limit traffic from a certain countries. At the moment it is pretty much impossible with Untangle as even copy and paste of large text blocks of ip addresses into the tiny form fields is pretty hard to do.

    Untangle should take a good hard look at how firewall and geo-blocking is done in pfSense.

  2. #2
    Newbie
    Join Date
    Oct 2013
    Posts
    8

    Default

    Quote Originally Posted by MechanicalThinker View Post
    Will Untangle firewall ever get a proper geo-blocking like on many other firewalls (Sonicwall, pfSense etc)? There have been several cases where I have had a need to quickly limit traffic from a certain countries. At the moment it is pretty much impossible with Untangle as even copy and paste of large text blocks of ip addresses into the tiny form fields is pretty hard to do.

    Untangle should take a good hard look at how firewall and geo-blocking is done in pfSense.
    I 2nd you on this. One of the things I miss most with pfSense & Sophos is the ability to block country's, Sophos allows you block by inbound, outbound or all. Another thing is be carfull when your copy and pasting of large text blocks of ip addresses into the tiny form fields becouse adding IPs this way is limited to 32KB in size, Anything more then that you need to Export the firewall rules edit them in a text editor and re-import then into Untangle. Have a look at this thread- http://community.spiceworks.com/how_...s-for-untangle

    PLEASE add support for this, I love Untangle but we should not have to jump threw hoops to get things like this done.
    Last edited by Mr Fixit; 12-21-2014 at 06:33 AM.

  3. #3
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,251

    Default

    http://bugzilla.untangle.com/enter_b...oduct=Firewall

    File an enhancement request

    However, I don't want to see this feature. The Internet just doesn't work this way, and these "features" cause more problems than they are worth. I'd rather see Untangle switch to a block all logic for everything, it'd make more sense. It would also suck.

    Use Web Filter, and turn on the malware category. You get a dynamically updated, proactive filtration system that doesn't break half the Internet because you're paranoid of what's coming out of China and Romania.
    f1assistance and Jim.Alles like this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  4. #4
    Master Untangler
    Join Date
    Apr 2010
    Posts
    109

    Default

    There are several cases where a geoblocking has tremendous value and where web filter does not cut it. That's why all the advanced firewalls tend to implement it. For example, I discovered a brute force attack in progress from IP's belonging to a certain country. Unfortunately Untangle proved pretty much useless stopping this attack as there were many IP's that need to be blocked. They also kept changing. But they still were from one country. In the end I blocked the country on web server level as this was just much easier. Not an optimal solution though. In the end wished I was using pfSense.

    It's also perfectly reasonable to block certain countries that just do not have any business accessing the resources.

    By no means is geoblocking a completely a bulletproof solution but it does help to mitigate the risk. That's why a geoblocking option that would use externally managed and constantly updated country IP ranges like pfSense or Sonicwall do is a must.

  5. #5
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,251

    Default

    Brute force attach against what? The service you're implementing should have lockout and brute force controls built in.

    For the rest, there's VPN.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  6. #6
    Newbie
    Join Date
    Oct 2013
    Posts
    8

    Default

    Quote Originally Posted by sky-knight View Post
    Brute force attach against what? The service you're implementing should have lockout and brute force controls built in.

    For the rest, there's VPN.
    Right, Its attitude like this that's turned me off of Untangle. We all have our reasons for wanting & doing things the way we do them & this is one thing that many of us want and feel we need. Many other firewall solutions like pfSence, Sophos, and others have this built in and make it easy for us to leverage. sky-knight you may not think or agree with what we are saying but if the customer wants it then we should have it......Period

  7. #7
    Master Untangler
    Join Date
    Apr 2010
    Posts
    109

    Default

    Quote Originally Posted by sky-knight View Post
    Brute force attach against what? The service you're implementing should have lockout and brute force controls built in.

    For the rest, there's VPN.
    "Should" would of course be nice but in reality there are plenty of things that do not have that kind of functionality. And that's the problem. Geoblocking also helps to avoid random mass hack attempts that tend to originate mostly from certain countries. And like I said, I do not think it is a foolproof method but it definitely does help to mitigate some of the risks. That is why many of the main players in the firewall market have that functionality.

  8. #8
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,251

    Default

    The US is the source of most cyber warfare, the idea that China and India are the source is incomplete.

    China, and Indonesia may be origination points, but the process of port scanning, brute forcing, etc is completely automated. These tasks are performed by botnets that work globally.

    In short, if you're online you're at risk. Geoblocking does NOTHING to improve your security situation. All it does is create a new slew of problems. If an IT professional is using this feature, he's simply making more work for himself in the future. A process that has been creatively, and unethically used by many "professionals" for "job security". We've all known these people, some of us might even be guilty of doing this from time to time. In the past, when things were more primitive it did have some value, that time has come and gone. Things are more complex now, we need to adapt our tools.

    Finally, saying Untangle should have a feature because other products have it is just absurd. Need I bring up the age old axiom about friends and cliffs and/or bridges our parents used on us when we were kids? Features require development, and to justify that development a value must be established. There is no technical value in GeoIP control. There is technical value in GeoIP identification. But even that value is minimal, it's mostly a curiosity thing, and helps the reports be read easier. Throwing in the "I'm the paying customer and I'm always right" bit is just infantile, and reads like a temper tantrum. Incidentally, directing it at me, who isn't an Untangle employee and has zero input on actual development priorities is equally silly.

    If you want to protect an RDP or IIS server from brute force, configure group policy for account lockouts.
    If you want to protect a SSH service on a linux box, or an apache service on the same, use fail2ban, and denyhosts.

    The UTM can provide visibility into the origination of an attack, but increasingly as time advances the only thing that can properly defend a publicly exposed service, is the service itself. You cannot defend the indefensible, you can simply control who can access it. And, again if you need a given service to be limited to a trusted set of users, that's what VPN is for.
    Last edited by sky-knight; 01-04-2015 at 01:50 PM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2