User guide
Chapter 11: Protecting Your Network From Attacks
150 WatchGuard Firebox System
• Permanently blocked sites–which are listed in the configuration file
and change only if you manually change them.
• Auto-blocked sites–which are sites the Firebox adds or deletes
dynamically based on default packet handling rules and service-by-
service rules for denied packets. For example, you can configure the
Firebox to block sites that attempt to connect to forbidden ports. Sites
are temporarily blocked until the auto-blocking mechanism times out.
Firebox System auto-blocking and logging mechanisms can help you
decide which sites to block. For example, when you find a site that spoofs
your network, you can add the offending site’s IP address to the list of
permanently blocked sites.
Note that site blocking can be imposed only to traffic on the Firebox’s
External interface. Connections between the Trusted and Optional
interfaces are not subject to the Blocked Sites feature.
Blocking a site permanently
You may know of hosts on the Internet that pose constant dangers, such
as a university computer that has been used more than once by student
hackers who try to invade your network.
Use Policy Manager to block a site permanently. The default
configuration blocks three network addresses–10.0.0.0/8, 172.16.0.0/12,
and 192.168.0.0/16. These are the private (“unconnected”) network
addresses. Because they are for private use, backbone routers should
never pass traffic with these addresses in the source or destination field of
an IP packet. Traffic from one of these addresses is almost certainly a
spoofed or otherwise suspect address. RFCs 1918, 1627, and 1597 cover
the use of these addresses.
N
OTE
The Blocked Sites list applies only to traffic on the External interface.
Connections between the Trusted and Optional interfaces are not subject
to the Blocked Sites list.