Only allow inbound traffic from my own country
-
Hello!
I want to only allow inbound traffic from my own country (Switzerland). My initial idea is to "Deny Inbound" from all regions except from my region.So my question is how should I only permit traffic from my own country while blocking all other countries traffic?
Please help me to only allow inbound traffic from my country.
Any help is highly appreciated.
Thanks.
Nizo
-
hey there,
if you really need to allow inbound (on wan interface, i assume) then an easy way would be to work with pfblocker-ng_devdev, there use geo ip lists, create an allow switzerland, done (since all other incoming should be blocked by default on wan).- install package pfbng dev
- register for geo ip
- create ip blocklist for your needs
-
@nizo67 you then just use this country code or specific list you create on your port forward you setup.
I do this for my plex, I only allow countries where my users are..
-
Thanks a lot.
I am using Squid and SquidGuard too to block storage services Provider. What already works fine till now.I installed pfblng and configured it and used the GeoIP( All Deny Inbound, except Europa-Switzerland), and added DNS 53 LAN Rule
1- Pass - IPV4(TCP/UDP)- * * LAN 53(DNS) * ----- Pass DNS to the firewall
2- Block - IPV4(TCP/UDP)- * * * 53(DNS) * ----- Block DNS to Everything elseNow can not get any website from TestVM.
Furthermore "pfb_dnsbl pfBlockerNG DNSBL service" dose not started. Trying more times.Any advice?
Thanks
-
@nizo67 not sure what that has to do with your thread title question?
-
@nizo67 Only advisory I have here is you might have other unforeseen consequences... I had a customer block all things not in Oceania and they lost access to, among other things, AWS and Microsoft Azure.
-
@nizo67
As stated by others (with much more knowledge and experience than I have):- it might have unwanted consequences. So (as always) be sure what you really need and want from it...
Why are you doing all those DNS rules? I cannot see any sense in that. What is your goal, what do you want to archieve?
(edit: never mind, a little bit of good old "thinking about it" solved it...you want to permit only certain dns-server requests, I guess), silly me...
So, if you have i.e your dns resolver unbound running on pfsense, it should be something like:
first
allow IPv4 (udp/tcp)-----Source: your (sub)net (i.e. LAN / VLANxy)-----Dest: this firewall-------port 53deny IPv4 (udp/tcp)-----Source: your (sub)net--------Dest: any-------Port 53
You might want to put something for port 853 (DNSoverTLS) in as well...
And then you could add a rule for a DNS Blocklist including all kinds of DNSover HTTPS Servers (via pfsblockerNG_dev)...And DNS Blocklists have nothing to do with blocking incoming traffic blocked by IPs.
:)
-
@the-other said in Only allow inbound traffic from my own country:
with much more knowledge and experience than I have
careful, that might go to my head...
-
@rcoleman-netgate
careful, you don't know about my knowledge skills and experience about networking in general and pfsense...so, it could be quite the contrary to being a compliment...:D
-
Thanks for all of you.
I disabled the both rules and still can not reach any website :(
I'll uninstall it and try again.
Is there any conflict between Squid and pfBlNG?
-
@nizo67 might be helpful, if you could just post a Screenshot with...
...your ruleset
...your dns settingsHave you tried to reach a site with its ip (i.e. ping 8.8.8.8 vs ping Google.com)
What does a ping ip Adress result in?
-
Thanks for all of you :)
It works, just re-Install it and configure GeoIP. No DNS Rules needed.
Cheers,
Nizo