Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Block Countries

    Firewalling
    4
    5
    2.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      compucoder
      last edited by

      Hi everyone,

      We recently got hacked and the IP source that did it was from Russia. The hacker didn't hack PFSense directly but got through RDP to our terminal server using the local admin account - they brute forced it basically. It wasn't a critical hack as that server is segregated and has no sensitive data on it but nevertheless I am concerned and want to avoid this from happening again. One thing I would like to do is eliminate people from certain countries even getting past the firewall. I already do this for our mail server as there are block lists for just this sort of thing. Is there anything I can configure or install on the PFSense firewall to prevent any access outside of North America? Our work network does not need access from anywhere else except USA and Canada. If I could stop foreign connections right at the perimeter then this is one less thing I have to worry about.

      Btw, I already increased security of the hacked server and all other DMZ servers so this shouldn't happen as easy in the future… but these being Windows servers... who knows. :)

      Thanks.

      1 Reply Last reply Reply Quote 0
      • GruensFroeschliG
        GruensFroeschli
        last edited by

        http://forum.pfsense.org/index.php?action=search
        keywords: "block country"

        -> http://forum.pfsense.org/index.php/topic,14500.0.html
        |–> http://forum.pfsense.org/index.php/topic,11279.msg62689/topicseen.html#msg62689

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • C
          compucoder
          last edited by

          Thanks - this sort of helps. I think the steps expect you to know much more about BSD than I do.

          I found the xml file that has the alias config. Can you tell me what I need to do to import the IP ranges into this file? I tried connecting to PFSense with WinSCP and it refuses to let me in. I can SSH in but don't know how to edit the file to import these addresses. I tried pico and nano commands and neither work. I have no clue how to use vi/vim so I don't see how I can do this.

          I was thinking of just making an alias for Canada and USA and then use a NOT rule to say everything that isn't one of those subnets is blocked. I hope this is the right logic anyways.

          Thanks.

          1 Reply Last reply Reply Quote 0
          • J
            j0ris
            last edited by

            To install nano just do:

            pkg_add -r nano

            You can also download config xml through "Diagnostics -> Backup/Restore",  then edit this file locally, and do a restore.

            1 Reply Last reply Reply Quote 0
            • F
              focalguy
              last edited by

              try sftp with user "root" but same password.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.