Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Block by geography

    Scheduled Pinned Locked Moved General pfSense Questions
    4 Posts 3 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J Offline
      Jmfrost
      last edited by

      Is there a way to block traffic by geography? I know it's not foolproof, but judging from my Fortigate logs it does at least stop some efforts to get past my company firewall.

      1 Reply Last reply Reply Quote 0
      • D Offline
        doktornotor Banned
        last edited by

        See pfBlockerNG package.

        1 Reply Last reply Reply Quote 0
        • johnpozJ Offline
          johnpoz LAYER 8 Global Moderator
          last edited by

          There are many places to grab lists of ip blocks based upon geo location.  maxmind comes to mind, there is pfblocker package that does the heavy lifting for this sort of thing.

          What ports do you have open/forwarded now that your worried about hackers from say china or russia?  There really seems to be a basic disconnect.

          Out of the box there are ZERO inbound ports allowed to pfsense or your network from the internet/wan.  Only stuff you request would be allowed.  So are you saying you don't want your devices going to places hosted in china.. Or do you have say http forwarded to some webserver behind pfsense, and you only want IPs from the US to access it?

          So out of the box ALL geo locations are blocked to pfsense - there is no reason to do a specific block unless you don't want these specific locations to access stuff you have opened up, while allowing other to access them.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • J Offline
            Jmfrost
            last edited by

            @johnpoz:

            There are many places to grab lists of ip blocks based upon geo location.  maxmind comes to mind, there is pfblocker package that does the heavy lifting for this sort of thing.

            What ports do you have open/forwarded now that your worried about hackers from say china or russia?  There really seems to be a basic disconnect.

            Out of the box there are ZERO inbound ports allowed to pfsense or your network from the internet/wan.  Only stuff you request would be allowed.  So are you saying you don't want your devices going to places hosted in china.. Or do you have say http forwarded to some webserver behind pfsense, and you only want IPs from the US to access it?

            So out of the box ALL geo locations are blocked to pfsense - there is no reason to do a specific block unless you don't want these specific locations to access stuff you have opened up, while allowing other to access them.

            I'm not sure why I never received notification about replies to my post, so I'm just now seeing these.

            Pouring over more documentation and internet searches I believe you are right that there's probably not much need for me to do this since all inbound ports are blocked by default. I thought maybe it would be a good safety measure to block regions known to be hostile. But after some additional thought I realized it was probably pointless anyway. Any hacker worth his salt isn't going to originate anything from their home country anyway.

            Thanks for the input everyone.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.