Devel Version GeoIP Tutorial

Iceman24

I've talked with several people from different forums, have done research, but with the devel version I've been unable to get an answer about how to set this up. As of now, I've never even tried because I simply do not know what to do.

I want to whitelist the USA, Canada, UK, maybe a few others rather than blocking the world. I have some open WAN ports that tend to change over time.

How exactly do I set this up? It's not clear to me from anything I've read or when I look in settings. I do know the devel version if different, not that I know for sure how to setup other version as I never have. Thanks for the help.

provels

I don't really understand it either, though I doubt it would matter that much to me, having only 1 random UDP WAN port open for OpenVPN. But it would be good to understand the how.

jdeloach

Did you do a search on the Netgate Forum, (this forum) for info about the pfBlocker devel version as well as the stable version?

There's lots of good information on this subject as well as access to the maintainer that supports this package. You can also search on Google but in most cases it will just take you back to this forum.

If you have questions about how to set it up, ask away on this forum. This is what it is here for.

Iceman24

@jdeloach I did, didn't find anything for devel version. I've found it much easier to setup than other for for adblocking and such, but the GeoIP I'm at a loss for and anyone I've talked to about it didn't know, at least not for devel version how to set it up. I'm asking now with this thread since I've been unable to find anything on how to do it.

provels

@Iceman24 I agree the devel version is is far easier to setup since it comes with some default lists chosen. Otherwise how does one make sense of the zillion lists available? But with GeoIP, since all WAN access is blocked by default, does it really do anything? If a country's access is set to "Disabled", is it then up to the WAN rules to block? Or if GeoIP blocks, say, China does that take precedence over FW rules? I would think one would need to set Permit/Deny on all countries to have it be effective, rather than choose Permit over Deny. Dunno, I'm just a DFU.

JeGr

@provels said in Devel Version GeoIP Tutorial:

But with GeoIP, since all WAN access is blocked by default, does it really do anything? If a country's access is set to "Disabled", is it then up to the WAN rules to block? Or if GeoIP blocks, say, China does that take precedence over FW rules? I would think one would need to set Permit/Deny on all countries to have it be effective, rather than choose Permit over Deny. Dunno, I'm just a DFU.

pfBlocker does nothing more than to create firewall rules or aliases for you. In the default configuration it handles block/pass rules on WAN/LAN/other interfaces. But if you block something that already is blocked (block any default is a thing), that does nothing. So it would be much easier to just select the countries you "like" and let pfBlocker create an Alias for them. That alias gets updated by pfB and you can use it in whatever firewall rule you like or as source for your open OpenVPN port.

Besides that I don't see the point in blocking countries if anything you offer is a simple OpenVPN port as a normal good setup of OVPN is robust enough. And you don't have a situation where your favourite coffee shop's WiFi is suddenly detected as being mid-sahara and blocked. ;)

provels

@JeGr Thanks for the reply, and I agree on no benefit for myself. But even if I "like" US, default is still to block what's not permitted, so what's the point? Just stem floods from a random country? If I deny a country but the traffic is blocked by default anyway, either way the FW has to make a call. Same/same?Redundant? No? On the other hand, I find the ad blocking extraordinary as well as the default outbound blocks to suspect hosts/IPs. I used to use a program called "Hostsman" on my Windows PCs which I think has been abandoned by it's developer, but was a pain to maintain each individual box .

Edit - Above I'm referring to inbound connections, not the outbound one can choose to permit/deny.

JeGr

@provels said in Devel Version GeoIP Tutorial:

If I deny a country but the traffic is blocked by default anyway, either way the FW has to make a call. Same/same?

That was what I was writing. It makes no sense to "double block". On the other hand I see no sense - for example - in allowing only certain countries access to an OpenVPN port. If that is configured properly there shouldn't be that much more hits or traffic or connection attempts than normal port probing anyway.

@provels said in Devel Version GeoIP Tutorial:

I find the ad blocking extraordinary as well as the default outbound blocks to suspect hosts/IPs

I agree, that's two use cases I see pfBNG perform very well. Also logging those requests against suspect IPs is a good start in finding out if a box is just noisy or perhaps compromised. A client of ours was "protected" (aka lucky) to have it as one user got himself a crypto-trojan and it couldn't contact the control server so stayed dormant. Not a huge protection bonus but more like a "small additional line of defense". :)