I can't block alter.net because it's just on the route, not the actual destination. I may do the auto-block. Does auto-block keep a list of blocked sites somewhere that I can access/modify? Is auto-block temporary or permanant?
Thanks,
Printable View
I can't block alter.net because it's just on the route, not the actual destination. I may do the auto-block. Does auto-block keep a list of blocked sites somewhere that I can access/modify? Is auto-block temporary or permanant?
Thanks,
as i said...i just got my box ...but reading from the manual pg 85 (you do have a manual right...hinthint...rtfm...:rolleyes: )
"Auto Blocked sites - which are sitres the firebox adds or deletes dynamically based on default packet handling rules and service-by-service rules for denied packets. Sites are temporarily blocked until the autoblocking mechanism times out "
(timeout can be set up to 22 days i think)
"Fire box autoblock and logging mechanisms can help you decide what sites to block. For example, when you find a site that spoofs your network, you can add the offending sites ip to the list of permanently blocked sites."
Actually, I don't have the manual handy. Our consultants swiped it haven't mailed it back to me yet. I went ahead and auto-blocked sites that try to connect in suspicious ways. I have my Fireboax logging incomming (allowed) http as well. Funny to watch an someone hit the website, try to FTP, then can't hit our website a minute later. I bet it confuses the hell outta them.
I've been keeping track of suspicious hits on the firewall. I noticed one log message that occured three nights in a row. IP 198.36.205.2, port 137. Three entries each night between 1:30 and 2:00. I might just block this IP completely.
Alter.Net is a backbone provider across the Atlantic and the majority of ISP's on the East Coast USA use them.
198.36.205.2 >> Risdall Advertizing (NETBLK-USW-RISDELLADVERTISE) , Class C network (198.36.205.0 - 198.36.205.255),
_ 198.36.205.1 : HTTP server installed (Microsoft IIS 5.0)
_ 198.36.205.1 : FTP server installed (Squid/2.4.STABLE2)
_ 198.36.205.1 : anonymous FTP connection refused
(198.36.205.1 - www.risdall.com)
It seems that their small network has only Windows worstations.
They are possibly having some bugs in their old accounting sofware (or other automatic report-making soft) which (probbably ;) ) use NetBIOS to exchange data within LAN. So log all incoming packets, don't filter them, that could be interesting (let that host establish NetBIOS connection and transfer (faked) data if any - i.e. let them transfer something if they want).
AIDeveloper.