Is the rule to allow port 80 to your web server above the deny * rule that you setup to block that subnet? The way Sonicwall prioritizes or orders their rules is from the bottom up. So if you have a Deny sitting at rule number 50, that encompasses a broad range, such as you describe, and an allow rule that is specific to a service or 1 ip that is sitting at rule number 25, then the rule 25 will override rule 50. Which lets all traffic come in to port 80 on one specific server..
A workaround is to deny that block to that specific IP, or even further down to the port on your web server. You need to get the rule denying what you want to deny ABOVE your Allow to port 80 on your web server. Hope me and my runon sentences make sense :) Cavell McDermott Domino Admin APW Ltd. - Texas Campus 214-343-1400 - Main 214-355-2022 - Direct 214-341-9950 - Fax http://www.apw.com "Chris Hunt IT Dept" To: <[EMAIL PROTECTED]> <[EMAIL PROTECTED] cc: m> Subject: [SonicWALL]- Sent by: sonicwall-owner @peake.com 01/28/2002 11:35 AM Please respond to sonicwall I have a rule set up to deny service default Source * Addr Range Begin 213.23.0.0 Addr Range End 213.23.255.255 Destination * Apply thie rule always I'm still seeing port 80 activity as my IMail log for today shows this 20020128 000028 213.23.38.248, Mozilla/Mozilla/4.0 (compatible; MSIE 5.5; Windows 98), http://www.sexy-fuck.de/toplisten.html, GET http://www.stringtanga.com/cgi-bin/TheRealTopsites/topsites.cgi?button=show HTTP/1.1 20020128 000028 213.23.38.248, Mozilla/Mozilla/4.0 (compatible; MSIE 5.5; Windows 98), http://www.sexy-fuck.de/toplisten.html, GET http://www.stringtanga.com/cgi-bin/TheRealTopsites/topsites.cgi?button=show HTTP/1.1 20020128 010859 213.23.38.248, Mozilla/Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90), http://www.sexy-fuck.de, GET http://werban.de/hework.cgi?ID=sexyfuck&page=01 HTTP/1.1 20020128 010859 213.23.38.248, Mozilla/Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90), http://www.sexy-fuck.de, GET http://werban.de/hework.cgi?ID=sexyfuck&page=01 HTTP/1.1 20020128 015550 213.23.38.248, Mozilla/Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0), http://www.sexy-fuck.de/toplisten.html, GET http://www.stringtanga.com/cgi-bin/TheRealTopsites/topsites.cgi?button=show HTTP/1.1 20020128 015550 213.23.38.248, Mozilla/Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0), http://www.sexy-fuck.de/toplisten.html, GET http://www.stringtanga.com/cgi-bin/TheRealTopsites/topsites.cgi?button=show HTTP/1.1 There is no damage done but I would rather cut them off at the pass ;) Chris =================================================================================================== To unsubscribe, send email to [EMAIL PROTECTED] In the body of the email put the following: unsubscribe sonicwall your_name The archive of this list is at http://www.mail-archive.com/sonicwall%40peake.com/ --- [This E-mail scanned for viruses by Declude/F-Prot Virus] =================================================================================================== To unsubscribe, send email to [EMAIL PROTECTED] In the body of the email put the following: unsubscribe sonicwall your_name The archive of this list is at http://www.mail-archive.com/sonicwall%40peake.com/
