Rebuilding my firewall -- question on geoip allow or block.



  • I need to rebuild my firewall and when I first built it , I only wanted traffic from the U.S. (still do), it was mentioned that instead of creating rules to block all the other counties (selecting all the countries except the U.S. ) , I should only have selected the two ip4 U.S. listing that I wanted and set them to "allow" traffic. and that by default all other traffic is blocked.

    Question is, is that correct?

    note : this is for a family only website and don't need to have any non-U.S. traffic.

    and yes I could create rules for only the IPs I want, but their IPs do change.



  • The best way is to allow only US, not blocking each country one by one. To do that, you have install pfBlockerng package and then select United States (IPv4 and IPv6) in GeoIP / North America and then select "Alias Native" in List Action, Enable Logging - Enabled and save. Then go to Update section, click update. After that, you have to create a new rule in Firewall WAN tab.
    Action: Block
    Address Family: IPv4
    Source: Invert match
    Single host or alias: pfB_North_America_v4
    Destination: any
    Log: Log packets that are handled by this rule

    Then create a new rule for IPv6 same as IPv4.



  • Thanks for the info,

    let see if I did this correctly
    img1.png
    ip6 is also selected.
    img1a.png
    img1b.png

    did I miss anything?



  • @tross9 That is correct. Keep these rules on the top of your Wan rules.


Log in to reply