Deny all outbound except specified geoip



  • Has anyone else tried denying all outbound except a specified list of geoip countries? I thought this would be a great idea but after a quick test in became quite apparent that it was going to cause a lot of headaches. For example I allowed US, CA, and UK then deny all and a bunch of websites wouldn't work. I guess there are datacenters all over and eventually I would get it dialed in but just wanted to hear your thoughts. BTW, this is just for at home on my small network with a fast connection. I did search all over the place for answers but didnt find much that was useful. Thanks!



  • @ex1580 said in Deny all outbound except specified geoip:

    Has anyone else tried denying all outbound except a specified list of geoip countries?

    No, I think it's a bad idea.

    It'll need very much work tuning to work decently (but you'd still run into issues from time to time) and the security gained from all that work would be very, very small. I wouldn't be surprised if the US is the single largest country hosting questionable sites.



  • @P3R Yes, and for that little security increase I bet your firewall takes a big performance hit. I noticed that the USA list is massive and to have to check everything against that would take some processing power. Not to mention having to unblock things all the time. I actually tried it then reverted back to my current settings just based on how long the update took, haha.

    I was a little confused as it says right on the configuration pages "It's also not recommended to block the 'world', instead consider rules to 'Permit' traffic from selected Countries only". I read that as "deny all/all by default then allow what you need".

    Right now I have it set to reject outbound to a few of the top spammer countries and I am looking into the reputation settings. I also DNS blacklist using Pi-hole as I like DNS/DHCP on a seperate box, but I do see that you could just add those lists to DNSBL if you didnt want to do it that way.


Log in to reply