GeoIP - Blocking or Not?
e__n
Newbie ✭
I am hosting a web server behind a Sonicwall TZ-470 running SonicOS 7.1.3-7015.
I use the GeoIP filter to block certain traffic I know does not need to access my web server.
Since my web server has different GeoIP profiles than other services I have exposed, I am using the "Firewall Rule-based Connections" option in the GeoIP settings. Within the firewall rule itself, I allow only the United States, and all other traffic is blocked.
Here are some screenshots of my config:
I recently did a bit of a network reorganization, and I noticed, combing through logs, that my webserver was sending data to IPs all over the world, which seemed suspicious to me.
I researched further and found that traffic that I expect to be blocked based on the Security Profile Geo-IP Filter is actually allowed and gets to my web server, but Sonicwall eventually blocks the RETURN traffic from the web server replying to the initial request.
Below is an example log export from Sonicwall showing traffic from a Chinese IP address, 42.83.147.55. Despite being a non-US IP, the traffic is initially allowed but then shows as blocked. At the end of this snippet, my web server (10.0.0.5) sends a reply, which is blocked. In checking this IP against Sonicwall's GeoIP diagnostics, the IP is correctly identified as Chinese.
id=firewall time="2025-03-20 08:42:24" fw=sonicwall pri=5 c=262144 m=98 msg="Connection Opened" app=49175 appName='General HTTP' n=11373806 src=42.83.147.55:30682:X1 dst=10.0.0.5:80 proto=tcp/http sent=60 dpi=0 |
|---|
id=firewall time="2025-03-20 08:42:24" fw=sonicwall pri=5 c=0 m=1235 msg="Packet allowed: code2 matched policy for non-MGMT traffic" note="policyCheck" n=10679698 src=42.83.147.55:30682:X1 dst=10.0.0.5:80 proto=tcp/http uuid="00000000-0000-0003-0700-2cb8ed8fb59c" fw_action="forward" |
id=firewall time="2025-03-20 08:42:24" fw=sonicwall pri=5 c=64 m=524 msg="Web access Request dropped" app=49175 appName='General HTTP' n=2099115 src=42.83.147.55:30682:X1 dst=10.0.0.5:80 proto=tcp/http fw_action="drop" |
id=firewall time="2025-03-20 08:42:24" fw=sonicwall pri=5 c=64 m=524 msg="Web access Request dropped" app=49175 appName='General HTTP' n=2099116 src=42.83.147.55:30682:X1 dst=10.0.0.5:80 proto=tcp/http fw_action="drop" |
id=firewall time="2025-03-20 08:42:24" fw=sonicwall pri=5 c=64 m=524 msg="Web access Request dropped" app=49175 appName='General HTTP' n=2099117 src=42.83.147.55:30682:X1 dst=10.0.0.5:80 proto=tcp/http fw_action="drop" |
id=firewall time="2025-03-20 08:42:24" fw=sonicwall pri=5 c=64 m=524 msg="Web access Request dropped" app=49175 appName='General HTTP' n=2099118 src=42.83.147.55:30682:X1 dst=10.0.0.5:80 proto=tcp/http fw_action="drop" |
id=firewall time="2025-03-20 08:42:25" fw=sonicwall pri=5 c=64 m=524 msg="Web access Request dropped" app=49175 appName='General HTTP' n=2099119 src=42.83.147.55:30682:X1 dst=10.0.0.5:80 proto=tcp/http fw_action="drop" |
id=firewall time="2025-03-20 08:42:25" fw=sonicwall pri=5 c=64 m=524 msg="Web access Request dropped" app=49175 appName='General HTTP' n=2099120 src=42.83.147.55:30682:X1 dst=10.0.0.5:80 proto=tcp/http fw_action="drop" |
id=firewall time="2025-03-20 08:42:27" fw=sonicwall pri=5 c=64 m=524 msg="Web access Request dropped" app=49175 appName='General HTTP' n=2099121 src=42.83.147.55:30682:X1 dst=10.0.0.5:80 proto=tcp/http fw_action="drop" |
id=firewall time="2025-03-20 08:42:29" fw=sonicwall pri=5 c=64 m=524 msg="Web access Request dropped" app=49175 appName='General HTTP' n=2099122 src=42.83.147.55:30682:X1 dst=10.0.0.5:80 proto=tcp/http fw_action="drop" |
id=firewall time="2025-03-20 08:42:34" fw=sonicwall pri=5 c=64 m=524 msg="Web access Request dropped" app=49175 appName='General HTTP' n=2099123 src=42.83.147.55:30682:X1 dst=10.0.0.5:80 proto=tcp/http fw_action="drop" |
id=firewall time="2025-03-20 08:42:55" fw=sonicwall pri=5 c=64 m=36 msg="TCP packet dropped" app=49175 appName='General HTTP' n=1136402 src=10.0.0.5:80 dst=42.83.147.55:30682:X1 proto=tcp/http fw_action="drop" |
Below is a snippet from a TCPDump on my web server showing the traffic received and responded to, matching the IP address above:
08:42:24.133772 IP 42.83.147.55.30682 > host.http: Flags [S], seq 4022937222, win 29200, options [mss 1460,sackOK,TS val 1238368050 ecr 0,nop,wscale 7], length 0 |
|---|
08:42:24.133831 IP host.http > 42.83.147.55.30682: Flags [S.], seq 3460525036, ack 4022937223, win 65160, options [mss 1460,sackOK,TS val 671574032 ecr 1238368050,nop,wscale 7], length 0 |
08:42:24.352839 IP 42.83.147.55.30682 > host.http: Flags [.], ack 1, win 229, options [nop,nop,TS val 1238368269 ecr 671574032], length 0 |
08:42:55.802997 IP host.http > 42.83.147.55.30682: Flags [S.], seq 3460525036, ack 4022937223, win 65160, options [mss 1460,sackOK,TS val 671605702 ecr 1238368269,nop,wscale 7], length 0 |
It doesn't seem to me like the traffic should make it to my web server. Is anyone else seeing anything like this? I am seeing it hundreds or sometimes thousands of times per day. The return traffic is always blocked, but why does it get to the web server in the first place?
Answers
Just swinging for the fences here, but does the "Enable Custom List" option need to be enabled in the main settings?
I thought that "enable custom list" was to declare an IP address as beloinging to a specific country, i.e. 1.1.1.1 = AU, 1.1.1.2 = UK, etc. I will look into it further, though - I appreciate the reply.
That's interesting, I have never seen in a packet capture, a packet being both allowed and dropped. It really does look like the same packet, same 4-tuple.
What is uuid="00000000-0000-0003-0700-2cb8ed8fb59c" ? I assume that's an access rule? Export a TSR and search for that UUID, that should show what this is.
As to your original question - if you're seeing it in a packet capture on your server then you can only conclude that it was allowed.
Thanks for the reply. The referenced UUID is the same rule that I screenshot in my original post, "Allow Any to DMZ HTTP/S"
I guess I should open a support ticket with Sonicwall.