Block by geography



  • Is there a way to block traffic by geography? I know it's not foolproof, but judging from my Fortigate logs it does at least stop some efforts to get past my company firewall.


  • Banned

    See pfBlockerNG package.


  • Rebel Alliance Global Moderator

    There are many places to grab lists of ip blocks based upon geo location.  maxmind comes to mind, there is pfblocker package that does the heavy lifting for this sort of thing.

    What ports do you have open/forwarded now that your worried about hackers from say china or russia?  There really seems to be a basic disconnect.

    Out of the box there are ZERO inbound ports allowed to pfsense or your network from the internet/wan.  Only stuff you request would be allowed.  So are you saying you don't want your devices going to places hosted in china.. Or do you have say http forwarded to some webserver behind pfsense, and you only want IPs from the US to access it?

    So out of the box ALL geo locations are blocked to pfsense - there is no reason to do a specific block unless you don't want these specific locations to access stuff you have opened up, while allowing other to access them.



  • @johnpoz:

    There are many places to grab lists of ip blocks based upon geo location.  maxmind comes to mind, there is pfblocker package that does the heavy lifting for this sort of thing.

    What ports do you have open/forwarded now that your worried about hackers from say china or russia?  There really seems to be a basic disconnect.

    Out of the box there are ZERO inbound ports allowed to pfsense or your network from the internet/wan.  Only stuff you request would be allowed.  So are you saying you don't want your devices going to places hosted in china.. Or do you have say http forwarded to some webserver behind pfsense, and you only want IPs from the US to access it?

    So out of the box ALL geo locations are blocked to pfsense - there is no reason to do a specific block unless you don't want these specific locations to access stuff you have opened up, while allowing other to access them.

    I'm not sure why I never received notification about replies to my post, so I'm just now seeing these.

    Pouring over more documentation and internet searches I believe you are right that there's probably not much need for me to do this since all inbound ports are blocked by default. I thought maybe it would be a good safety measure to block regions known to be hostile. But after some additional thought I realized it was probably pointless anyway. Any hacker worth his salt isn't going to originate anything from their home country anyway.

    Thanks for the input everyone.