Firewall logs - Default Rule

mm_bret
mm_bret Posts: 22  Freshman Member
Using a USG 1000

Created firewall rule to block a range of addresses in the Netherlands
89.248.160.0 - 89.248.175.255

The rule is configured to deny with a log alert (red text), any connection attempt from these addresses.

The rule is the first in the my firewall (Priority 1)

However the log is showing the connection attempts from this address range is being blocked by the MATCH Default Rule DROP.

This is not what I expect.

The Priority 1 firewall rule should be displayed in the log as the "priority rule 1",
rule which blocks the connection attempt.
The connection attempt should not be allowed to pass through my firewall rules table, all the way to the Defaul Rule DROP, since it is the first rule.


I have defined about 20 groups of address ranges in my hacker-reject list.

Is there a bug in the firewall in this regard?
Is there a limit to the number of addresses which can be blocked using ip ranges?

We have 12 of these USG 1000 devices. Hoping I have presented my question
accurately.

BS


 






«1

All Replies

  • PeterUK
    PeterUK Posts: 1,389  Guru Member

    So is this from WAN to zywall or from LAN to WAN?

    I'm guessing from WAN is the range set for source IP with destination any?

    can you post the rule


  • mm_bret
    mm_bret Posts: 22  Freshman Member

    PeterUK,
    Thanks for taking a look.


  • PeterUK
    PeterUK Posts: 1,389  Guru Member

    I was thinking this was a new model but turns out to be no longer updated does it have the newest firmware on it?

    https://www.zyxel.com/us/en/support/DownloadLandingSR.shtml?c=us&l=en&kbid=MD07111&md=ZyWALL%20USG%201000


  • mm_bret
    mm_bret Posts: 22  Freshman Member
    They have the newest firmware.

    We'll try some re-configuring, maybe break the deny rules into smaller sets of ip addresses.

    Standard duty for a firewall of this class. A bit surprised.

    Really appreciate the dialog.
    Bret




  • USG_User
    USG_User Posts: 316  Master Member
    Taking for granted that your "hackers-block" source IPs are located in the internet, means coming from WAN zone only. Did you tried to change the source zone from "any" to "WAN"? Maybe this makes a difference for USG?
    But normally your setting should work.
  • Zyxel_James
    Zyxel_James Posts: 103  Zyxel Employee
    Hello mm_bret,
    As your firewall rule, from any to any. The destination "any" does not includes Zywall itself.
    It means the hacker wants to access Zywall itself instead of the local network behind Zywall, so it won't match your firewall rule. You may add a rule that deny from any to Zywall.
    Thank you.



    James
  • dmc_nyc
    dmc_nyc Posts: 4
    I have a similar issue with a new USGFLEX 200.  Only recently, did I notice that all Security Policy Rules IGNORE 'Object Groups' if they are set as the Source IP within the Rule.  Which is what mm_bret described above, "I have defined about 20 groups of address ranges in my hacker-reject list." and his spam traffic is ignoring the Group.  This is a bug.

    ZYXEL FIRMWARE BUG: By putting multiple Address Objects or Ranges into a Group, and setting the Source IP = the Group within the Rule, the traffic can bypass it as if it was the Rule was set to ANY Source IP. Regardless if you set your Rule as ANY to ANY or WAN to LAN.  It ignores the Source IP Group as its rule filter.  You can verify this by making the Source IP only one IP address, not a group.  Then check your logs for that Priority.  No traffic will pass through, but if you set the Source back to the Group, the traffic incorrectly passes through. 

    THERE SEEMS TO BE A BUG INTRODUCED WITH A RECENT FIRMWARE UPDATE. ZYXEL NEEDS TO INVESTIGATE THIS IMMEDIATELY.

    Opposite of mm_bret, I do a similar Rule but with Approved IP Addresses I want to pass through. So any WAN IP Address that is not in my group called 'All Approved WANs' will be blocked.  See my pictures, the traffic ignores the Group called 'All Approved WANs' which is unexpected behavior.





    Zyxel needs to investigate this and release a firmware update.




  • PeterUK
    PeterUK Posts: 1,389  Guru Member
    dmc_nyc if you set appllcation patrol to none does the rule work?
  • mm_bret
    mm_bret Posts: 22  Freshman Member
    We have App Patrol disabled.

    I've played with this further:
    1. Limiting the firewall rule to WAN as the source
    2. Replacing the group of hacker ranges to a single range of ip addresses.

    It doesn't work.

    Also doesn't seem like we should be doing the experimenting.

    Regardless of age, this device should identify these address ranges and allow/deny/reject
    as the rule dictates.

    What does the Zyxel (current or older) generation Zyxel equipment say about this?

    I'm going to check this functionality on some of our Cisco stuff. Hmmm
    Bret







  • mm_bret
    mm_bret Posts: 22  Freshman Member
    In response to Zyxel_James
    We have a rule which disables https to the Zyxel from WAN.



Security Highlight