Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Gelocation based rules?

    Firewalling
    3
    4
    2.6k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mhugo
      last edited by

      Being basically paranoid I hate opening firewall holes into my internal network any wider than I have to.

      Therefore what are thoughts of being able to firewall based on geolocation?

      There are several free services out there that provide APIs or just basic xml http methods of getting the lat/long of an IP address. (here is are a few examples: http://blog.programmableweb.com/2009/03/31/3-free-ways-to-geolocate-by-ip/ )

      I don't care how fast the initial packet takes to be validated in that the extra look up time for the initial packet for a new IP can be tolerated.  It need to cached for future packets. (perhaps just added to the normal allow table and then purged after a while)

      Thoughts on how to do this within pfsense.

      Is it just a dumb idea?  Other threads talk about adding huge blocks of banned ip addresses to the table but that is a pain to do as alias lists fill up quickly and having huge lists takes processing time to go through them.  I've thought about just adding the netblocks for the local ISPs of my users but will need to be updated.  I'm tired of the huge amount of brute force attacks my servers get and it really those attacks I'm trying to prevent and limiting the exposure greatly reduces those attacks.

      Geolocation is not 100% perfect but in my experience it is remarkable accurate.

      1 Reply Last reply Reply Quote 0
      • L
        lotacus
        last edited by

        I think it just provides a false sense of security, plus more maintainence, personal opinion though. Why? think of it this way, the odds are really in your favor. Unless you are prominatly world reknown, your not a target. People don't even know you exist. If people did know you exist, what have you done to provoke attacks? Why would someone waste their time and effort to circumvent your security?

        So lets say your Bill Gates. You've got yourself locked down. You got this handy new script that blocks via geolocation, which is really only blocking IP addresses that are assigned to a specific place. It really doesn't provide much protection at all. People can subscribe to one of the numerous free or paid SSH accounts and tunnel through that. People can use online proxies, or other proxies for that matter. People can spoof IP addresses and mac addresses, people can tunnel through ICMP, DNS and virtually any traffic out there to my knowledge. So if someone really wanted to get passed your security, they will, and geo-location services is not even a bump in the road to thwart them. Especially in this day and age, a 12 year old will know how to by-pass geo-location based access control, and that's not being sarcastic.

        If you want to limit your exposure, honestly, what are you doing with a server visible outside your network? The whole point of something being visible outside your network is to GAIN exposure IMO, again. Otherwise, you will just have to look at some certificate/machine based authentication. All in all, if you expose part of your network to the internet, it's ALWAYS going to be hit by traffic. What you WANT to try to do is prevent ACCESS from outside your network to inside, and if your firewall is showing your server being hit but no compromise, then it's doing it's job.

        1 Reply Last reply Reply Quote 0
        • B
          blak111
          last edited by

          It does help in some situations. Sometimes there are just random attacks that crawl through known business IP address ranges.
          I agree that it won't really help if someone is specifically targeting you, but it could help protect from "spray-and-pray" style attacks that I frequently get against SSH servers.

          1 Reply Last reply Reply Quote 0
          • M
            mhugo
            last edited by

            It is exactly the brute force (crawl through) attacks I'm trying to prevent.  Anyone with any sort of services on the internet who scan logs knows that the brute force attacks are the major traffic inflows to many of them.  This has nothing to do with if you are famous or not as a bot army doesn't care one bit.  It just knows there is a service and knows that it  might get lucky.  Also it doesn't take long looking at the logs to understand the bot armies are fairly coordinated in their attacks in how they go about guessing.  Doing things such as limiting the number of wrong guess before shutting down the service helps but the armies are relentless.

            Security should be a multi-layer approach and one layer of that approach should be to limit who can get to your front door.  The concept of "false sense of security" doesn't apply since by definition if as service is on the internet it is unsecured.  There are several other threads in this forum that talk about adding the entire China and Korea net blocks to the deny list.  Doing Geographic DNS blocking takes that approach several more steps.  Yes it requires more maintenance then not having this layer at all but I see this much less maintenance than manually maintain a small allow list or trying to somehow fill up a huge deny list.  Other threads have talked about an option in the filter list per country.  I would be happy with that option as well.

            For my ssl servers the multi-layer approach includes implementing denyhosts (http://denyhosts.sourceforge.net/faq.html) as well as possibly not using port 22, possibly turning off password authentication, forcing long passwords, frequent passwords changing, etc depending upon what I'm trying to protect.

            The geographic DNS interests me for use in PPTP and any of the other very few tunnels I might allow in. Though it would be great for ssh as well.  PFsense PPTP client doesn't try to prevent brute force attacks so adding this layer would greatly reduce the number of attacks.  In one of my networks I have a multi-routed ActiveDirectory network being served  behind a pfsense server and pfsense's PPTP server doesn't play very nice in this situational.  It looks like I'll be (trembling to even write this) be using Microsoft built in PPTP server and I wanted an extra layer of protection before exposing the entire internet to the PPTP server.
            I would love to go to 2 factor authentication as one of my layers of security but that is should be a subject of a different thread.

            So back to my question.  Am I dreaming if this is something that only I think is an important layer of protection.  I see this as a something special that pfsense could offer that is either not being offered by the commercial vendors or is very pricey.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.