Only allow certain countries
-
pfBlockerNG is supposed to do this, but I still haven't figured it out: How can I apply different restrictions per IPs (alias)?
From what I can understand, pfBlockerNG can only have one rule. So if you want to allow traffic from the US for some IPs and some others from the UK, that is not possible. Or am I missing something here?
-
pretty sure you can create whatever aliases you want in pfblocker and then use those aliases in rules. I have not used it in while, I personally have no need for it. But could reinstall to validate what I believe to be true.
But you might be right you might only be able to create 1 country blocking alias - brb going to install it.
edit: Ok out of the box it only has specific aliases you can edit, top20, asia, north america, europe, etc.. but you can create your own aliases using the country listings located in the
/usr/local/share/GeoIP/cc/US_v4.txt (Change 'US' to required code)
So you could create your own lists picking the files that contain the IP ranges of those countries your wanting to block. and then use those aliases in your rules.
got to Firewall pfBlockerNG Edit IPv4 for example, create an alias, the click that little i next list setting and it will show you form to use to use the local geoip text files to create your own aliases.
-
This is so annoying to do for every alias I want with countries - why couldn't pfSense do like many other firewalls and just have a simple way to allow traffic to/from selected country/countries?
I see I was earlier able to get an Europe alias (URL) in my firewall, but I have no idea how I created that - the manual says it should be an "alias only" choice some place, but I do not see it in my new interface.
-
This image below is from the manual and shows a "Alias only" option in dropdown. It would have solved my problem and I think it is how I created my original URL alias (https://127.0.0.1:443/pfblockerng/pfblockerng.php?pfb=pfB_Europe_v4).
But I don't have this dropdown or anything similar to it in my newer v2.3.2 version of pfSense.
https://www.derman.com/blogs/Setting-Up-Country-Blocking
https://www.derman.com/Resources/Blogs/pfBlockerExampleWorldAreaConfig.png
-
I just ran into a few issues with this. If you're just doing this for countries on one continent then the built in pfblocker features work okay. You just select the country you want and select the inverse.
If you're doing this for countries that spread across multiple continents then it seems doing your own alias works best. Create an "Alias Native" and then add a rule that says "if not in alias, then block".
I attached a picture of the configuration in pfBlockerNg. I didn't include the rule. Also, this is on pfsense 2.3.2
-
You can also use the GeoIP tab ;)
-
Well maybe. But I doubt it will solve the problem i described.