Blocking traffic based on GeoIP data

  • It seems that there is no support for the GeoIP package, but maybe there is another possibility to block traffic based on GeoIP data.

    Basically I would like to block any traffic to and from certain regions. Is this somehow possible in pfSense?

  • define "certain regions".

    Per default pfSense blocks everything on the WAN.

    To block outbound connections you could make an alias containing all the subnets you want to block and use this alias in your "allow firewall rule" like:

    source: any
    sourceport: any
    destination: !block_alias (NOT block_alias)
    destionationport: any

  • I do not believe there is a current way to block just based on geographic locations. You end up having to make large assumptions without the list getting too big.

  • As it seems there isn't any GeoIP support in this release, but can we expect it in a next release?

    I would love to make rules that look like:
    iptables -A INPUT -m geoip  –src-cc  -j DROP

    The GeoLite database is available for free and for a little per month the full version is available to you, it can be loaded as a module in the kernel, …....

    It would be GREEEEEEAAAT!

  • deleted due to honken being right. I was pretty tired and annoyed when i wrote my response. Still i'm asking myself if UltraLinuz bothered to read the responses and looked into what pfSense actually is before making demands for new features.

    • Edited and removed first part about the previous posts *

    I'm looking at pfsense among other things as a potential home firewall solution, and I would very much appreciate a feature as the one described. Being able to block say ssh from anywhere apart from the geographic region where I live would be great. Managing it manually would obviously less desirable. Best thing would be if there was a way to automatically download the monthly maxmind db file, and have rules based on it, similar to what iptables can do as described by the previous poster.

    Pfsene really looks like the most solid solution around, and such a feature would make it even better!

  • Sorry to bother you GruensFroeschli but I am not really familiar with freeBSD nor with pfSense. As you were asking for some clarification of what I did mean with certain regions, I added the iptables taste of what I meant, nevertheless I just trying to find out what pfSense really can do before I start using it. One of the reasons to replace my current firewall is the fact that this feature is not available.

    Although it isn't a very reliable protection mechanism, I'd really like to get rid of all this spam and intrision attempts from these few countries I really never visit, mail nor offer any services to. Since GeoIP is relatively easy included under Linux I did not seem a to big thing to suggest as a new feature for a next release.

    Meanwhile Anomie suggested on the FreeBSD forum to use

    Looking around it doesn't seem to be a big deal to handle such lists under FreeBSD/pf. One can easily configure pf to do the job. Although I did not test it yet one I suppose pfSense can be edited from the command line in a similar way. I would be even better to do such a thing from the web interface but I only could find an option to add the (aliases for) the IPrange's manually. Or am I completly wrong again?

  • In 2.0 you can import IP-lists.
    For 1.2.2 you could download the config.xml in which the aliases are stored, add the big lists you want manually and restore the config.

    This is kind of inconvenient, but better than adding the subnets manually in the gui.
    I also think there is somewhere a thread around describing the exact steps.

  • I can see the usefulness of something like this. Personally I would love the ability to block any chinese source IP's. Nothing against the Chinese, they just need to actually BUY their windows OS's and then they can update regularly. Until then, I and multitudes of others are left to be ssh scanned and whatever else from all of the hacked Chinese and Korean boxes.

    I would think if someone wanted this badly enough, making a package to do this would be the way to go. Alternatively a bounty could be offered for someone to make a package.

Log in to reply