Firewall: Bulk Pasting List of IP or IP Networks & Geolocation Blocking


#1

We are constantly seeing unauthorized IP making attempts at connecting to servers which they should not have access to. 99% of the time the country of origins is outside the USA. We would like to block certain countries from being able to connect for specific ports while still giving them access to general ports such as port 80 etc. Although we can create inbound firewall rules that will block the IP the problem we are facing is that some countries have over 100+ IP network blocks and to create 1 rule at a time per IP network block will take too much time not to mention too difficult to maintain.

Is there any way to add an option to paste a list of IP or IP networks into a text box type field upon creating a rule which in turn would apply to all IP pasted into the box. Below is an example of a list of IP block we would want to block of course the real list is 100x larger so creating 1 rule at a time will simply take too long. Any suggestions; perhaps this feature can be added or perhaps can I send Peplink a list of IP blocks I want to block and have your team create a script that I can run to turn them on, off etc…

Finally perhaps you can also add an option to block by country through Geolocation database.

2.57.0.0/19
2.58.0.0/16
2.60.0.0/14
2.92.0.0/14
46.0.0.0/16
46.3.0.0/16
46.8.0.0/16
46.16.8.0/21
46.16.24.0/21
46.16.64.0/21
46.16.96.0/21
46.16.128.0/21
46.16.176.0/21
46.16.224.0/21
46.17.40.0/20
46.17.96.0/21
46.17.200.0/21
46.17.248.0/21
46.20.64.0/20
46.20.176.0/20
46.28.16.0/21
46.28.88.0/21
46.28.128.0/21
46.28.224.0/21
46.29.8.0/21


#2

Ummm… it would definitely save much time if the Balance firewall allows importing a list of IP subsets in this IP/subnet format. Anyone else wants this?


#3

I also would like this feature to be added. Also, it would be nice if you can create a rule containing a list of non sequential port numbers so you wouldn’t have to create a new rule for each port(e.g., TCP 80, TCP 8080, TCP 8090). In which case a port range doesn’t work.


#4

Oh Man I could really use this! It would be really great if I could define within a single ui of the firewall page, a list of source subnets, a list of destination subnets, and a list of ports … I’m converting over a legacy segmented network and for the first phase of the project need to replicate the previous policy (90 lines of cisco ios access-lists which have rules like this:

permit tcp x.x.x.x 0.0.255.255 x.x.x.x 0.0.0.31 eq 22 smtp 389 636 873 3389

… its going to take a long while to input it all into the peplink ui …

Update: - I will beta test a firmware with this feature added!


#5

Hi Kurt,

I have had several requests for this ability by my clients.

Mike


#6

Very happy to hear there is interest from others besides us. I’d like to clarify that in addition to having ability to bulk paste the list of IP into import box; I would hope that if this feature is added that each rule created applies to the complete bulk list is its own rule as opposed to having bulk set of rules created for each line that was pasted into the import box. In other words if the import box has 50 IP, I would hope that the import box only makes 1 rule for all 50 as opposed to having 50 separate rules created during import process. Otherwise future maintenance will be a difficult job.

In addition perhaps there is an ability to also add check box next to each rule so that if more than 1 rule is selected we can do a bulk change. For example bulk disable rules, bulk enable etc…


#7

Makes sense. Goes hand in hand with bulk-import.


#8

Yes, there is interest here too.

Don’t like copying and pasting each time the geolocation list is updated, but its a started.

And when implemented as firewall rule with the ability to select port numbers, the Peplink implementation would be better than Sophos/Astaro UTM as their implementation in version 9.1 only seems to be able to block countries for all access (read: all ports at once).


#9

While on the topic of importing firewall rules, it will be great to export and import complete firewall rule sets. This will make it very easy to “copy and paste” rules between different routers. It happens a lot where a company has multiple Peplink routers with direct Internet breakouts, but the firewall rules must remain the same. It is very time consuming to update rules, one router at a time.


#10

This will be handy. Currently the firewall rules are backed up in the config file.


#11

And it would also be handy when lists op IP addresses/networks could be saved under an alias. Where this alias can be re-used in different firewall rules. That stops the hassle of maintaining duplicate lists for for instance an allow for IMAPS and SMTPS ports, where both separate firewall rules could then be linked to the same group of IP addresses/networks.


#12

It would. But let’s not get too ahead of ourselves. You see, our core value is to provide unbreakable VPN over cellular and/or landlines.


#13

We never used the VPN. To us, the core for the PepLink Balance device is: multi-WAN + the built-in DNS server to distribute (read: Balance) traffic over these WAN interfaces.


#14

No problem. When you come across a need for an unbreakable VPN connection, you know we have a solution.


#15

Wanted to follow up to see if there was any plans to introduce this feature any time soon or no plans at this time? Please recheck the original thread, there was a lot of demand for this feature.


#16

Kurt,

Is there any way your team can consider improving the firewall side of PepLink. We all fully understand that Peplink main focus as well as specialization is improving VPN/Balancing etc… however the firewall feature really lacks. The feature I’ve described should not be difficult to implement and I am confident will help a lot of users. We are constantly seeing attempts from people outside the network make attempt at connecting to the network. As I’ve described in the beginning of this thread if there was ability to simply add the IP to pre-made rule without having to constantly create new rules it would eliminate having to constantly create a new rule and in turn clogging up the firewall list. As of today we already have over 50 (IPs) that have been blocked and the list is only growing day by day. If there was also ways to block out by country / region (GEO location) it would be even better as we could completely block of countries that should not have ability to connect to X ports etc… Although Peplink focus is not on Firewall I am confident that improvements in firewall side of the unit will be of great benefit. As I am sure you realize network security is of highest concern for many companies so honestly I only see a positive if the firewall is further improved. Either way as always we are happy with the work you do and simply pointing out a feature which I am sure many will be happy to have.


#17

Kurt,

Is there any way your team can consider improving the firewall side of PepLink? We all fully understand that Peplink main focus as well as specialization is improving VPN/Balancing etc… however the firewall feature really lacks. The feature I’ve described should not be difficult to implement and I am confident will help a lot of users. We are constantly seeing attempts from people outside the network make attempt at connecting to the network. As I’ve described in the beginning of this thread if there was ability to simply add the IP to pre-made rule without having to constantly create new rules it would eliminate having to constantly create a new rule and in turn clogging up the firewall list. As of today we already have over 50 (IPs) that have been blocked and the list is only growing day by day. If there was also ways to block out by country / region (GEO location) it would be even better as we could completely block of countries that should not have ability to connect to X ports etc… Although Peplink focus is not on Firewall I am confident that improvements in firewall side of the unit will be of great benefit. As I am sure you realize network security is of highest concern for many companies so honestly I only see a positive if the firewall is further improved. Either way as always we are happy with the work you do and simply pointing out a feature which I am sure many will be happy to have.


#18

Several years back I wrote about additional firewall enhancing features. While I fully understand that the Peplink balance units are primarily designed as a balance appliance and this feature may not be on the top of the list I did notice that many users besides ourselves had expressed interest in a better builtin firewall. One that can allow to easily block IP by country (GEO), creating bulk IP rules, bulk change… I wanted to bring this request back into the spot light to make sure it’s not forgotten about as I feel many will greatly benefit by a stronger firewall system without having to purchase a separate appliance. If anyone else has additional suggestions please show your support.


#19

This would be awesome! +1 here.


#20
  • dnsbl anyone ?
    for the rest +1 as well from me