Blocking inbound traffic by IP address
Reposting here as a new idea, based upon recommendations from a separate discussion thread...
I am asking for a feature that selectively blocks inbound traffic that would otherwise be allowed, based on set of IP address ranges. This is a standard feature in all commercial-grade firewalls, and it's used almost ubiquitously for a variety of reasons. It's all about defense in depth -- mitigating the effect of other weaknesses and holes.
One such use case has to do with uPnP. Practically speaking, since the uPnP service is enabled by default, inbound traffic is NOT effectively blocked by default. In today's homes, there are often one or more devices that will open up the LAN to inbound traffic via uPnP, when available. While I would argue that uPnP is a bad idea and should simply be disabled (at least by default), the ability to block inbound IP addresses would be useful in locking down uPnP without disabling it completely, especially if you could selectively block IP ranges by inbound service type.
It would also be useful if such a feature allowed specifying the IP addresses to be blocked both explicitly (as a range) and by consulting with some of the readily available blocklists. For example, some of the spamblocking lists are things like dialup networks, which as a class might be good to block, depending upon your needs. Also blocking by geographic region can be immensely helpful, as so many attacks originate in Russia and China.
There are many other good reasons for this feature, including to provide some protection against bugs in Netgear's code.
So, please consider adding this feature. It is much needed!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.