Sophos Firewall Black Hole DNAT: Block Bad IPs
As soon as services are reachable from the internet, unwanted traffic usually appears quickly: port scans, login attempts, known botnets or access from countries where no users are expected. On Sophos Firewall, such sources can be blocked at several levels.
This article explains two common approaches:
- block countries or source networks with a Firewall Rule
- translate unwanted sources into nowhere with a Black Hole DNAT Rule
In addition, we recommend Sophos Firewall Threat Feeds so that known malicious IPs, domains or URLs can be blocked automatically.
Which method fits when?
| Method | Suitable for | Typical use |
|---|---|---|
Firewall Rule with Drop | Blocking traffic based on Source Country, Source Network or Source Host | Block countries, block individual networks, maintain known Bad IP lists manually |
| Black Hole DNAT | Redirecting unwanted traffic to a non-existent internal IP | Intercept traffic to published services early |
| WAF Blocked countries | Web servers published through WAF | Block countries directly in a WAF rule |
| Threat Feeds | Dynamic lists of known malicious sources | Automatically block botnets, scanners, malware infrastructure and known attacker IP addresses |
The right method depends on where the traffic is technically processed. Sophos points out that Firewall Rules do not always apply to traffic going to a Hosted Address used in WAF. In those cases, a WAF country rule or a Black Hole DNAT Rule is often more suitable.
Block countries with a Firewall Rule
For general country blocking, one can create a Firewall Rule with Drop.
Menu path:
Rules and policies > Firewall rules
Recommended fields:
| Field | Value |
|---|---|
| Rule name | descriptive name, for example BLOCK_COUNTRY_PANAMA |
| Rule position | Top |
| Action | Drop |
| Source zones | Any |
| Source networks and devices | country, country group, IP list or host group |
| During scheduled time | All the time |
| Destination zones | Any |
| Destination networks | Any |
| Services | Any or a defined service |
For country blocking, it is important not to set Source zones and Destination zones too narrowly. If only WAN is entered as Source zone, the rule may not apply to all relevant traffic paths.
Black Hole DNAT for unwanted sources
A Black Hole DNAT Rule translates traffic to a destination that does not exist in the network. The traffic therefore goes nowhere and does not reach the actual service.
This is especially useful when a service is published with DNAT and specific sources should be intercepted before the real port forwarding rule.
Example:
| Field | Value |
|---|---|
| Rule name | BLOCK_BAD_IPS_COUNTRIES |
| Rule position | Top |
| Original source | Bad IP list, country or country group |
| Original destination | public WAN IP or WAN host object |
| Original service | Any or the published service |
| Translated source (SNAT) | Original |
| Translated destination (DNAT) | dummy host that does not exist |
| Translated service (PAT) | Original |
| Inbound interface | Any |
| Outbound interface | Any |
The dummy host should use an IP address that does not exist in the local network and is not routed. It is important that this rule sits above the actual DNAT rules. NAT rules are processed from top to bottom. If the normal DNAT rule matches first, the Black Hole DNAT Rule is too late.
Why rule order is critical
With NAT rules, the first matching rule wins. A Black Hole DNAT Rule therefore has to be placed very high up, usually at the top of the NAT rule table.
Example order:
- Black Hole DNAT for Bad IP list and blocked countries
- specific DNAT rules for published services
- special SNAT rules
- general MASQ rule for outbound traffic
The same principle applies to Firewall Rules: specific block rules must sit above general allow rules. Otherwise, traffic may already have been allowed before the Drop rule is checked.
Do not leave Source on Any unnecessarily
For published services, the Source should be restricted as much as possible.
Useful sources can be:
- individual public IP addresses
- networks of partners or branch offices
- countries from which access is expected
- FQDN Hosts or DNS Host Groups, where appropriate
- maintained Host Groups with allowed admin IP addresses
Any only makes sense if the service really has to be reachable worldwide. In that case, additional safeguards should be enabled: logging, IPS, MFA where possible, strong authentication, up-to-date target systems and Threat Feeds.
Use Threat Feeds as an additional layer
Manual lists and country rules are static. Attacker infrastructure changes continuously. That is why we additionally recommend Sophos Firewall Threat Feeds.
Threat Feeds are especially helpful for:
- known scanner IP addresses
- botnets
- malware infrastructure
- compromised hosts
- dynamically maintained Bad IP lists
This avoids having to maintain every single IP manually. The firewall can block known bad sources before they reach the published service.
Typical mistakes
| Mistake | Impact |
|---|---|
| Black Hole DNAT is below the normal DNAT rule | The normal DNAT rule matches first, so the block rule does not apply |
| The dummy destination actually exists in the network | Traffic unexpectedly lands on a real system |
| Source is maintained differently in the NAT rule and Firewall Rule | Rules become hard to understand and drift apart |
| Country blocking is used as the only protection | Bots from allowed countries can still attack |
| Logging is disabled | Log Viewer does not clearly show which rule matched |
Troubleshooting
If a block rule does not apply, check the following in this order:
- Is the NAT or Firewall Rule really above the allow rules?
- Does the source IP match the Bad IP list or selected country?
- Is the traffic processed by a WAF rule, DNAT rule or Firewall Rule?
- Is logging enabled on the affected Firewall Rule?
- Does Log Viewer show the expected Firewall Rule ID or NAT Rule ID?
- Is the traffic visible in Diagnostics > Packet capture?
For analysis, Firewall rule not matching: Check order, matching and logs, Using Packet Capture in WebAdmin and Understanding NAT on Sophos Firewall: SNAT, DNAT, MASQ, PAT also help.