Subj : dtdns To : Matt Munson From : mark lewis Date : Sun Jul 08 2018 06:18:08 On 2018 Jul 05 20:33:46, you wrote to Sean Dennis: SD>> A lot of these small firewall setups aren't enough to handle the crap SD>> that's floating around on the Internet. You really need an edge SD>> firewall that simply blocks entire countries at first and then will SD>> let you ban entire CIDR ranges from connecting. Until you get SD>> something with some gusto going you're going to have issues. Even my MM> Even with country blocking filters they still try to contact my server MM> :( of course they do... they're simply scanning ranges of IP numbers... if you don't block them at the perimeter, your server(s) are going to have to deal with them... even it if means you have country blocks that your servers need to handle to know if they should drop the connection or not... that's why folks like sean and myself have been saying to drop this junk at the perimeter firewall... that way your server(s) (sbbs, nginx, apache, ftp server, nntp server, etc) don't have to deal with it... MM> I wonder if I should try the Symantec or Bitdefender hardware firewall MM> products. absolutely not... that is not ON your perimeter... that's IN your network... this is what we're talking about... right now, you have this... internet -> ISP modem -> your network(s) so everything is on your ISP modem to do all the work... for the most part, it is quite capable... but it cannot handle large lists and you cannot customize it to add things like intrusion detection or intrusion protection services (aka IDP/IPS)... what we're saying is to do this... internet -> ISP modem -> perimeter firewall -> your network(s) in this setup, your ISP modem is (hopefully) in "bridge mode"... that means it is basically out of the loop other than converting your DSL or cable internet signal into TCP/IP for your network comms... it doesn't do anything else... no routing, no DHCP, no nothing... everything now is done by your perimeter firewall... a firewall that has plenty of storage and memory... a firewall that you can actually sit down and enter huge lists of country IP ranges to block... a firewall that can actually detect when something nefarious is trying to get in or out... if your ISP modem can't do bridge mode, then it simply means that your connection will be double-NAT'ed... that means that you'll have a RFC-1918 address on your firewall's WAN port and it'll be handing out addresses and managing connections for another (set of) RFC-1918 addresses... it isn't a big deal but it can really hamper some tasks... granted, this means having another machine running as well as having another switch/hub or two or three but this is a huge sight better than relying on those black boxes the ISPs give you or that you purchase at Best Buy or Circuit City or other similar places that sell electronics... i'll never set up another network without a perimeter firewall... ever... )\/(ark Always Mount a Scratch Monkey Do you manage your own servers? If you are not running an IDS/IPS yer doin' it wrong... .... Thou shall flirt shamelessly with all members of the opposite sex. --- * Origin: (1:3634/12.73) .