Geo Block Firewall Settings - help!

[ulyly]

Hello - I have a DS415+ - latest - DSM 6.2.4-25556 - everything up to date.

I've been getting login attempts on my mail (plus) server. They appear to be coming from Bulgaria according to WHOIS 5.188.206.xxx - a traceroute leaves me hanging somewhere around Amsterdam.

My Configuration:
* enabled the firewall, allowed local private ips and my static ip's (.248) from the ISP.
* created a rule to allow Germany to mail server since I use a mail server there for notifications, etc.
* created a rule to allow the United States and Minor Outlying access to several services (mail, dns, calendar, VPN, etc.)
* Finally I've created a rule to deny all ports, all protocols to all IP's
* created a rule to deny all on the 1st LAN (my public facing interface) should anything get past the All Interfaces settings.

LAN1 - DENY if no rules match.

My firewall rules are NOT stopping the login attempts. I do have Auto-Block enabled, so after a couple of tries they have to get another IP address. This hacker apparently has the entire class c to use as they continue to try new IP addresses to get in.

What could be the problem with my configuration?
Thank you for your help!
ulyly

 

[Rusty]

Best to try this block on the router level. Do you have a firewall there as well?

 

[fredbert]

If you know the class C you could put a rule to deny it. I’d then place this rule low on the policy and gradually move it up until you find when attempts stop. That’ll show which rule isn’t working. Then leave it there.

For the Germany based mail notifications what I would look to do is limit this rule to just the IP range of its servers, not the whole of Germany.

Having a router with a properly definable firewall policy should help. Better if it has hit counters on rules… or a log of activity!

 

[ulyly]

Best to try this block on the router level. Do you have a firewall there as well?

Thank you Rusty - I'm working on a pfsense machine now! The Geo Blocking seems to work - cutting down on login attempts by 90% or more since I started using it. I'm a bit befuddled by this one getting through, thinking I had a good strategy with the config on the DSM.

If you know the class C you could put a rule to deny it. I’d then place this rule low on the policy and gradually move it up until you find when attempts stop. That’ll show which rule isn’t working. Then leave it there.

Thank you. A good troubleshooting tip!

For the Germany based mail notifications what I would look to do is limit this rule to just the IP range of its servers, not the whole of Germany.

I thought of that right after I posted this message

Having a router with a properly definable firewall policy should help. Better if it has hit counters on rules… or a log of activity!

Yes, again, working on a pfsense machine. The logs on synology are somewhat lacking from the gui standpoint.

 

[Rusty]

PF will help you for sure much more then syno fw