Firewall/NAT

had an unwanted person enter my teamspeak server tonight. I immediately banned his ip, and he re-joined 3 seconds later with a different ip. so i banned his whole range of ip 10.10.*.* (just an exemple, won't post his ip here)

basically i wanted to put a firewall rule block all traffic from his range, to deter from other possible malicious attacks. now i wanted to know if the rule i created is created properly.

In Wan:

Proto     Source                    Port     Destination     Port     Description
*         10.10.0.0/16               *              *           *              bad people

I used "network" instead of "single host or alias" but was stumped to how to block the whole range. do i just enter his actual ip and add /16 ? or is the 10.10.0.0 fine? or do i have to write it differently?

Yes that would be the way to indicate a range, you just neet the relevant subnet bit to cover the range of IP's that you want to block.  However, this is potentially not the place to protect your systems.  If you have a server that is open for legitimate traffic, unless you know all of the legitimate IP addresses and allow them specifically your intruder could just keep changing his IP address until he finds one to try again.

I remember at my previous company the web development team trying to have a go at the comms team because someone hacked the web site.  Of course the comms team told them where to go.  The hack had gained access over port 80 which obviously needs to allow traffic to brows the web server.  The issue was poor security on the web server which was the responsibility of the web team.

This is the same for your service.  You have to allow traffic to the server (Make sure you only forward the ports necessary though) If the security on the server is good, then even if they can send packets to the server they will not compromise the server.

The other alternative, is to look at a higher end commercial firewall that looks closer at the traffic and can distinguish between legitimate traffic and an intrusion.

Thanks, forgot to check back here. I'm glad this should work. i'm not worried about some people not being able to get onto my services. monowall is protecting my home networks. I just use Teamspeak (voice chat for gamming) with some friends and i looked up the ip of the person that wasn't welcome and was speaking a different language. since his whole subnet is part of his local isp in his town/country, and that i know i'll never be in that area using the internet and anyone that i know (family or friends) would be trying to access my network from there.

The only negative impact would be using peer2peer (bit torrent) where peer traffic would be blocked from that ip range, which I wouldn't care anyways.

Newbees' Follow-up question:
Is it possible to create an alias as list containing several individual hosts?
Something like {192.168.1.1; 192.168.1.4}

RdTFM, browsed here but didn't find a suitable reply...
thanks,
HP.

not to my knowledge.

CS...

Newbees' Follow-up question:
Is it possible to create an alias as list containing several individual hosts?
Something like {192.168.1.1; 192.168.1.4}

It's on the to-do/wishlist (http://m0n0.ch/wall/todo.php)

It would be a nice feature.

Go here: http://www.subnet-calculator.com/cidr.php

Simplifies the whole CIDR range concept for me. 

Thanks, Uluen, second best answer... 

and thanks knightmb, well-known tool , but not what I need.

I'd need something looking like
<alias>
 <name>TrustedServers</name>
 <address>{192.168.1.1; 192.168.1.4}</address>
</alias>

or possibly
<alias>
 <name>TrustedServers</name>
 <address>192.168.1.1</address>
 <address>192.168.1.4 </address>
</alias>

NB: I did neither test these things nor are the config-file like, but to give you an idea.. 

Thanks,
HP.

I don't know if this was mentioned, but I use teamspeak a lot, can't you ban him from teamspeak instead of having to go through this with m0n0wall with usernames or are you trying to run a completely open teamspeak server?