GeoIP blockage not working
-
Hi
Currently im trying to get working the GeoIP blockage working, i created an account on maxmind and it downloaded correctly the IPs but on the dashboard i see this
not sure what step i missed?
-
@killmasta93 You have them set to 'Alias Deny'. In which case, in order to block traffic, you would need to define some firewall rules that target the generated aliases.
You probably want one of the Deny options. Then pfblocker will also create the rules for you as well as the aliases. -
@darcey Thanks for the reply, currently i have this
Tutorials:
https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials
-
@killmasta93 not good practice to try and block the internet. Much easier to just allow the countries you want on the rules you want them to access, like your openvpn or port forward
Just use the alias for the country you want to allow in those rules vs trying to block everything else on the planet other than what you want to allow.
-
@killmasta93 That looks like it should work. However something I just noticed in your pfblockerNG status screenshot: The 'Count' is empty for all but two of the aliases. I think that means those aliases are unpopulated.
Check you actually have countries selected in those regions. Then run pfblocker update IP and check the log.
Also, as @johnpoz says, you might want to take an allow (src address and dst port) rather than the deny approach with respect to exposing wan services. -
@johnpoz
thanks for the reply, currently testing it on a test environment, the idea is only to leave my country the rest to block the rest because its a website for only in our country.
so whats your saying is something like creating inverse rule?
Thank you
Tutorials:
https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials
-
@killmasta93 no you would not use a inverse Bang as source. If all you want to allow is S America, then that would be the source.
By default all are deny, if you create a rule that says hey source SAmerica can access my port, and IP that is not in SAmerica list then that rule would not trigger and the traffic would just fall through your rule list to the default deny.
Here are my allowed traffic for example
This is an alias that has a both US and since I have a friend in Morocco that as well, along some other IPs that I allow..
-
@killmasta93
No, use two firewall rules- Allow your country
- Then Block everything (else by rule order)
-
@patch yeah don't need a block, since it is default deny.. If traffic is not allowed it is denied, you only need a block and allow rule if you say want to allow IP to do something, but block all other to that whatever, but at the end say on your lan you have default allow any any rule.
On wan, since there is no default any any rule, all you need to do is limit what can access and by default anything that doesn't match that would be denied.
-
@johnpoz
Thank you so much i think that did the trick
