Clarification of Blackhole behaviour.

WinGate Proxy Server and other Qbik products

Switch to full style
Use this forum to post questions relating to WinGate, feature requests, technical or configuration problems
Post a reply
Randy Baker

Clarification of Blackhole behaviour.

Nov 24 07 7:58 am

After reading the WinGate help, and after reviewing posts referring to the Blackhole feature, I am a little confused as to what this feature really does.

WinGate help suggests that the Blackhole feature blocks banned hosts or networks against inbound connection attempts. In reading some posts, it seems that if your POP3 server is on the banned network, you will have problems retrieving your e-mail. I would expect that since the POP3 connection attempt is being made by the client, the POP3 server is not initiating the inbound connection attempt.

I have configured my blackhole to a known network segment, and have been able to successfully hit their webserver. I don't want anyone at their site however to try logging into any RDP or SSH services I am offering through my firewall.

Finally, the WinGate help does not identify where blackhole rejections are logged to.

Any clarifications?
Thank you.
Randy
genie
  • genie
  • Posts: 1788
  • Joined: Sep 30 03 10:29 am

Nov 24 07 10:30 am

Blackholes help offset load on Wingate. Upon receiving a packet which does not belong to an already established connection, the driver first checks if the originator or the destination of this packet is blacklisted. If it is, the packet gets dropped silently and the notification is delivered to the engine about this event. So balcklist is checked first, before any other rule or firewall holes list. Hope this explanation clarifies blacklist behaviour a little.
Randy Baker

Nov 24 07 11:56 am

I intend to black hole the nuisance ISPs from Asia and Russia that are targeting my SSH services with dictionary attacks. This is a nice feature at the perimeter of my network.

I am still not sure where the blackhole logs are found though, as I would like to know how many attempts have been repelled by this feature.
ChrisH
  • ChrisH
  • Posts: 388
  • Joined: Sep 13 03 1:38 am
  • Location: Canada

Nov 24 07 12:48 pm

Check the WinGate NAT logfile. You should see something like:
    Authorisation failure: NAT STATUS: firewall block: TCP src xxx.xxx.xxx.xxx:808 dst 10.0.1.33:2748
adrien
  • adrien
  • Posts: 5448
  • Joined: Sep 03 03 2:54 pm
  • Location: Auckland
  • Website

Nov 24 07 1:37 pm

Actually a clarification.

When the ENS gets notified of a packet, the first thing it does (after checking it's even an IP packet), is to check the black hole list. It does this before checking whether the packet is part of an existing connection or not.

So if you black hole an IP or range of IPs, then if WinGate sees a packet from that IP or range, it will be dropped regardless. It makes that IP / range inaccessible to WinGate or any app running on the WinGate machine (or where WinGate would otherwise route packets from there).

Adrien
Post a reply
Switch to full style

Powered by phpBB © phpBB Group.

phpBB Mobile / SEO by Artodia.

Board index