Issue abstract: Wanting to block a range of addresses using connection rules, but all the standard ways I’ve seen for entering address ranges are rejected with “Invalid IP Address”.
Detailed description: In the “Edit Rule” dialog, in the “Remote IP address” field, how can one enter a range of addresses. Say you want to block all 255 addresses below A.B.C
@Tony_Garland Unfortunately I don’t have a solution for you. The previous version of N360 allowed entering a range of addresses using “-” but v24 won’t accept it. When v24 self-installed, I noticed that several of my traffic rules didn’t make it over so I created them manually and found I had to type each address separated by a comma. I didn’t have the daunting task you’re facing. Mine required about two dozen addresses but even that was still annoying.
I suggest reaching out to Norton’s support. @bjm provided instructions on contacting them in this thread Unable to download and install my Norton subscription - #7 by bjm
If they have a solution, I’d appreciate it if you would post it here.
I saw your other post about traffic rules. I read the instructions as you do regarding “ALL”. I am aware that with traffic rules (not program rules) the order of where the rule appears on the list is very important. Could that be a factor in your situation? Traffic rules are processed top to bottom. https://support.norton.com/sp/en/us/home/current/solutions/v1028031
Worst case scenario, if you can’t block traffic to a particular IP address using Norton, maybe consider using your router’s firewall? Of course, that affects everyone connecting via that router, so maybe that’s not a solution.
Good luck.
I also remember being able to enter address ranges (or using masks) in previous versions. I will check out the link about how to contact Norton to ask about it in a live chat… and will post whatever I find out.
Regarding the order of rules–the issue seems to be that Traffic Rules are implemented in two layers/stage: (1) Application rules (and the default Smart Mode allows signed applications which one typically wants); then (2) Connection rules. My application rules list tons of signed apps, but my connection rules only contains entries for IPs I want to block. It appears signed apps get approval from the Application rules regardless of the connection rules–which one would presume would apply to all applications. That’s what I’m seeing… if the app is a signed one, then it doesn’t get subjected to any of the connection rules.
My work-around presently is that I’ve turned on the Apple firewall which does support blocking address ranges. It involved minor customization of /etc/pf.conf – along with a cron job which monitors the md5sum of pf.conf in case my customizations get reverted by an OS upgrade, and also verifies the firewall stays turned on. (I notice Norton turns it off when first installed.)
So far, the work-around is doing the job like I want–but it seems crazy to have to enable the Apple firewall when the Norton “smart” firewall is already running… but can’t block ranges of addresses. Nevertheless, it is doing what I need at the moment.
@Tony_Garland I agree with you that connection rules ought to take precedence over app rules.
It’s good that you have a workaround but it would be easier to have all the firewall rules centralized. Hope Norton support will be able to help you.
So… I had the experience I figured I’d have with contacting a Norton Agent (not a bot, but a real live agent).
The agent did not read, or didn’t take the time to understand, the issue (inability to enter a range of addresses for a traffic rule–specifically a connection rule).
Pasted me a big long stock response in the chat–which seemed to be for the Windows version, not the Mac version.
Connected via remote control and had no idea how to enter a range of addresses. Told me to try all the variations I’d already indicated to NOT work (e.g., net mask, start-end, and comma-separated list of individual addresses (which isn’t practical for an entire subnet).
Our remote control session got disrupted and the representative has not contacted me back.
Since I spent about 30 minutes waiting to get a human in the first place, I’m not about to go through the same routine. The rep clearly doesn’t recognize the issue, has no idea how to solve it, and left me with no real solution.
Such is the state of “product support” nowadays – and Norton isn’t unique in this regard
A “smart firewall” that doesn’t appear to support entering a range of network addresses: go figure!
@Tony_Garland Really sorry to hear about your experience though I can’t say I’m surprised. Unfortunately my experience dealing with tech support, Norton and elsewhere, parallels yours. Also not infrequently I find tech support agents know less than me, and that’s a pretty low bar so it gets frustrating.
After I got your message I decided to give tech support a try myself this afternoon but I gave up after waiting an hour. I don’t know that it’ll do any good but I sent detailed questions in the chat message and asked that they send me their response by email, not that I expect a response even if they get the chat message.
While I was waiting for the live agent and twiddling my thumbs, a browsed the Community forum and came across this post. Documentation? Program Rule Dialog - #3 by bjm I sent @bjm a message a few minutes ago asking about designating a range of values in the parameter fields in traffic rules and mentioned that the dash/hyphen doesn’t work in v24. Hoping @bjm or someone else has some ideas.
@Puzzler Sorry to be slow in responding… for some reason I didn’t get notified of your latest response.
Good to know that others have the same question/problem–although no answer seems to be forthcoming.
At this point, I’m betting that this is a bug introduced in their update… because it used to be possible to enter a range and the documentation still implies so.
Perhaps it will just magically get fixed in an update. In the meantime, I’m still relying on the Apple firewall to do the job which Norton smart firewall apparently can’t.
@Tony_Garland No apologies necessary. I hope you’re right that this will be fixed in an update. Fingers crossed that Norton technical staff are reading these posts and making corrections.
If I happen to notice that the problem’s been resolved, I’ll post.
My firewall rules aren’t as extensive as yours but any deficiency in N360 is being covered by my router’s firewall which I actually rely on more heavily. I don’t use Apple but I looked into its firewall after reading your post. It looks good.
Hi @Puzzler - Yes, I rely on my local router when in the office too, but I frequently wind up working offsite, hence my concern to be able to beef up security with the local firewall where appropriate.
I’ll also post if I learn anything additional. Thanks, and happy new year
@Tony_Garland A belated Happy New Year to you!
I just created two traffic rules using the hyphen/dash to designate a range of port values in Version 24. When I typed the hyphen after I entered the first port #, N360 error message popped up noting “invalid port” but I went ahead and typed the last port #. The error message disappeared and I was able to save the rule.
The only reservation I have is whether to trust that the rule is actually doing what it should. That rule isn’t triggered frequently so it’s a difficult one to check. After all the hiccups with Version 24, I remain little leary.
@Tony_Garland
I experimented with the traffic rules to replicate what you are wanting to create. I confirmed that new version of N360 doesn’t recognize the IP A.B.C.0-A.B.C.255 but it does recognize A.B.C.1-A.B.C.255 so it looks like the stumbling block is the 0 in the last octet of the IP. I have no idea why N360 isn’t recognizing that. I didn’t try it but are you able to create a rule for the single IP ending with a 0? If so, maybe the workaround is to create one rule for the 0 and another rule for 1-255. Here’s a screenshot of the test rule I created.
@SoulAsylum Thank you for trying to help. Much appreciated. I reverted to the same N360 version you’re using on all but one of my computers. I left one on Version 24 to track bug fixes in the new version but I’ll likely install V22 on that one too.
As your screenshot shows, firewall rule controls in the previous version were more granular. It addressed network rules and port rules separately. Also, the prompts were helpful. Version 24 doesn’t come close. Here are screenshots of the old vs new rule creation screen. @Tony_Garland I may have forgotten to mention that all my computers are running Windows OS.
@Tony_Garland In reviewing N360’s default traffic rules, I noticed that a rule for Multicasting in Private network mode has the starting IP address ending with the 0, so N360 obviously recognizes 0 as valid but not in custom rules? It’s an annoying
@Tony_Garland Just a heads up. I had a couple of minutes so I tried creating a rule for a single IP address ending with a 0 and it worked, so perhaps you can explore the workaround I posted earlier to see if it works in your situation. Hope it does. That said, I’m reverting to the earlier version. I found another flaw in Ver 24 and it’s one straw too many for this old camel…at least for now.
Hello @SoulAsylum - Thanks for lending a hand! Appreciated!
Unfortunately, the version I’m using has a much-simplified dialog for configuring the network rules which has no explicit support for a separate starting or ending address or range. Hence I figured the start-end or address/mask syntax variants would be needed.
Anyway, my dialog is more similar to what @Puzzler sees on his Windows version (but I’m using the mac version).
So no help or entry fields that support ranges. Just a single entry box labeled “Remote IP Address”.
Hi @Puzzler - Thanks for the additional idea of using two ranges: A.B.C.1-A.B.C.255 plus A.B.C.0. Unfortunately, on the MAC version, I’m unable to enter ANY two addresses separated by a dash. So A.B.C.1-A.B.C.255 is rejected with “invalid IP address”. Can’t even enter A.B.C.1-A.B.C.2 !
So I remain dependent on my Apple firewall being enabled in addition to the Norton “Smart” Firewall for now.
Appreciate the mind-share you’ve both spent on this. My solution at present is adequate, just seems crazy that I have to have TWO firewalls enabled to get what should be possible within Norton–and used to be from what I remember.
Thanks all. I was trying to show the difference between the reverted version ( my screenshot ) so you guys can reference it with the 24.xx . It is indeed more granular and prompts where the new release doesn’t come close. Norton appears to want as much control of traffic as possible. Whether than being for protection or other purposes remains to be determined. I believe it to be a mix of both based on what I have seen between the old and new releases.