Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
321 Views 4 Replies Latest reply: Jun 27, 2013 12:56 PM by grinder RSS
grinder Apprentice 102 posts since
Feb 8, 2013
Currently Being Moderated

Jun 27, 2013 12:27 PM

How To Drop Packets From Foriegn Countries?

I have been asked to setup our firewall to drop any packets arriving at the external interface that originate from any other country other than the US and US teritories.  I created a GEO Location Network object and put every country except the US and US teritories in it.  I then created a rule to drop packets on the external interface if the source endpoint matches anything in that GEO Location object.  This rule is the first rule in the list.  It does not appear to be working. I get email alerts all the time where foriegn IP's are hitting ports like FTP etc.  This tells me the packets are not getting dropped. 

 

Here is an example of an audit alert:

 

2013-06-26 00:22:52 -0700 f_ftp_proxy a_aclquery t_attackp_major

pid: 1724 logid: 0 cmd: 'pftp' hostname:MYFIREWALL

category: policy_violation event: ACL deny attackip:80.246.50.171

attackzone: external src_geo: DE srcip: 80.246.50.171srcport: 39642

srczone: external protocol: 6 dst_geo: US dstip:xxx.xxx.xxx.xxx dstport: 21

dstzone: external rule_name: Deny All cache_hit: 0

reason: Traffic denied by policy.

 

The firewall obviously can tell this orginated from I believe Denmark.  I can tell it made it through all of the rules because it hit the last rule, the Deny All.  So I am not sure what I am doing wrong.  Any help is greatly appreciated.  Thanks!

 

Here is what my rule looks like:

 

 

Message was edited by: grinder on 6/27/13 12:27:53 PM CDT

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points