After reading the WinGate help, and after reviewing posts referring to the Blackhole feature, I am a little confused as to what this feature really does.
WinGate help suggests that the Blackhole feature blocks banned hosts or networks against inbound connection attempts. In reading some posts, it seems that if your POP3 server is on the banned network, you will have problems retrieving your e-mail. I would expect that since the POP3 connection attempt is being made by the client, the POP3 server is not initiating the inbound connection attempt.
I have configured my blackhole to a known network segment, and have been able to successfully hit their webserver. I don't want anyone at their site however to try logging into any RDP or SSH services I am offering through my firewall.
Finally, the WinGate help does not identify where blackhole rejections are logged to.
Any clarifications?
Thank you.
Randy
Clarification of Blackhole behaviour.
Moderator: Qbik Staff
5 posts
• Page 1 of 1
Clarification of Blackhole behaviour.
by Randy Baker » Nov 24 07 7:58 am
- Randy Baker
- Posts: 31
- Joined: Nov 09 07 5:28 pm
by genie » Nov 24 07 10:30 am
Blackholes help offset load on Wingate. Upon receiving a packet which does not belong to an already established connection, the driver first checks if the originator or the destination of this packet is blacklisted. If it is, the packet gets dropped silently and the notification is delivered to the engine about this event. So balcklist is checked first, before any other rule or firewall holes list. Hope this explanation clarifies blacklist behaviour a little.
- genie
- Qbik Staff
- Posts: 1788
- Joined: Sep 30 03 10:29 am
by Randy Baker » Nov 24 07 11:56 am
I intend to black hole the nuisance ISPs from Asia and Russia that are targeting my SSH services with dictionary attacks. This is a nice feature at the perimeter of my network.
I am still not sure where the blackhole logs are found though, as I would like to know how many attempts have been repelled by this feature.
I am still not sure where the blackhole logs are found though, as I would like to know how many attempts have been repelled by this feature.
- Randy Baker
- Posts: 31
- Joined: Nov 09 07 5:28 pm
by adrien » Nov 24 07 1:37 pm
Actually a clarification.
When the ENS gets notified of a packet, the first thing it does (after checking it's even an IP packet), is to check the black hole list. It does this before checking whether the packet is part of an existing connection or not.
So if you black hole an IP or range of IPs, then if WinGate sees a packet from that IP or range, it will be dropped regardless. It makes that IP / range inaccessible to WinGate or any app running on the WinGate machine (or where WinGate would otherwise route packets from there).
Adrien
When the ENS gets notified of a packet, the first thing it does (after checking it's even an IP packet), is to check the black hole list. It does this before checking whether the packet is part of an existing connection or not.
So if you black hole an IP or range of IPs, then if WinGate sees a packet from that IP or range, it will be dropped regardless. It makes that IP / range inaccessible to WinGate or any app running on the WinGate machine (or where WinGate would otherwise route packets from there).
Adrien
- adrien
- Qbik Staff
- Posts: 5448
- Joined: Sep 03 03 2:54 pm
- Location: Auckland
5 posts
• Page 1 of 1
Who is online
Users browsing this forum: No registered users and 12 guests