Rebuilding my firewall -- question on geoip allow or block.

tross9

I need to rebuild my firewall and when I first built it , I only wanted traffic from the U.S. (still do), it was mentioned that instead of creating rules to block all the other counties (selecting all the countries except the U.S. ) , I should only have selected the two ip4 U.S. listing that I wanted and set them to "allow" traffic. and that by default all other traffic is blocked.

Question is, is that correct?

note : this is for a family only website and don't need to have any non-U.S. traffic.

and yes I could create rules for only the IPs I want, but their IPs do change.

emammadov

The best way is to allow only US, not blocking each country one by one. To do that, you have install pfBlockerng package and then select United States (IPv4 and IPv6) in GeoIP / North America and then select "Alias Native" in List Action, Enable Logging - Enabled and save. Then go to Update section, click update. After that, you have to create a new rule in Firewall WAN tab.
Action: Block
Address Family: IPv4
Source: Invert match
Single host or alias: pfB_North_America_v4
Destination: any
Log: Log packets that are handled by this rule

Then create a new rule for IPv6 same as IPv4.

tross9

Thanks for the info,

let see if I did this correctly

ip6 is also selected.

did I miss anything?

emammadov

@tross9 That is correct. Keep these rules on the top of your Wan rules.