On 2018 Jul 05 20:33:46, you wrote to Sean Dennis:   
      
    SD>> A lot of these small firewall setups aren't enough to handle the crap   
    SD>> that's floating around on the Internet.  You really need an edge   
    SD>> firewall that simply blocks entire countries at first and then will   
    SD>> let you ban entire CIDR ranges from connecting.  Until you get   
    SD>> something with some gusto going you're going to have issues.  Even my   
      
    MM> Even with country blocking filters they still try to contact my server   
    MM> :(   
      
   of course they do... they're simply scanning ranges of IP numbers... if you   
   don't block them at the perimeter, your server(s) are going to have to deal   
   with them... even it if means you have country blocks that your servers need   
   to handle to know if they should drop the connection or not... that's why   
   folks like sean and myself have been saying to drop this junk at the perimeter   
   firewall... that way your server(s) (sbbs, nginx, apache, ftp server, nntp   
   server, etc) don't have to deal with it...   
      
    MM> I wonder if I should try the Symantec or Bitdefender hardware firewall   
    MM> products.   
      
   absolutely not... that is not ON your perimeter... that's IN your network...   
   this is what we're talking about... right now, you have this...   
      
      
     internet -> ISP modem -> your network(s)   
      
      
   so everything is on your ISP modem to do all the work... for the most part, it   
   is quite capable... but it cannot handle large lists and you cannot customize   
   it to add things like intrusion detection or intrusion protection services   
   (aka IDP/IPS)... what we're saying is to do this...   
      
      
     internet -> ISP modem -> perimeter firewall -> your network(s)   
      
      
   in this setup, your ISP modem is (hopefully) in "bridge mode"... that means it   
   is basically out of the loop other than converting your DSL or cable internet   
   signal into TCP/IP for your network comms... it doesn't do anything else... no   
   routing, no DHCP, no nothing... everything now is done by your perimeter   
   firewall... a firewall that has plenty of storage and memory... a firewall   
   that you can actually sit down and enter huge lists of country IP ranges to   
   block... a firewall that can actually detect when something nefarious is   
   trying to get in or out... if your ISP modem can't do bridge mode, then it   
   simply means that your connection will be double-NAT'ed... that means that   
   you'll have a RFC-1918 address on your firewall's WAN port and it'll be   
   handing out addresses and managing connections for another (set of) RFC-1918   
   addresses... it isn't a big deal but it can really hamper some tasks...   
      
   granted, this means having another machine running as well as having another   
   switch/hub or two or three but this is a huge sight better than relying on   
   those black boxes the ISPs give you or that you purchase at Best Buy or   
   Circuit City or other similar places that sell electronics... i'll never set   
   up another network without a perimeter firewall... ever...   
      
   )\/(ark   
      
   Always Mount a Scratch Monkey   
   Do you manage your own servers? If you are not running an IDS/IPS yer doin' it   
   wrong...   
   ... Thou shall flirt shamelessly with all members of the opposite sex.   
   ---   
    * Origin:  (1:3634/12.73)