Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Allow/block by country on a per rule basis

    Scheduled Pinned Locked Moved General pfSense Questions
    2 Posts 1 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W Offline
      Wendo
      last edited by

      What I'd like to be able to do is blacklist or whitelist certain countries within a firewall rule. Specifically I'm trying to lock down SIP to an Asterisk server to only allow SIP connections in from our home country. I've got Country Block installed already but that's a blanket thing, I'd like to be able to specify per rule.

      I've already taken all the other security precautions like secure SIP passwords etc but if I could block every other country but ours, it minimizes the risk that much more.

      The only way I can see to do this is to create an alias that lists all the address blocks allocated to our country and then allow that. That's a pretty big list already and I'm not sure how well pfsense would handle it (probably perfectly well), it also lacks the flexibility of selectively blocking traffic from other countries per rule.

      Anyone have any better suggestions?

      Thanks

      1 Reply Last reply Reply Quote 0
      • W Offline
        Wendo
        last edited by

        And to answer my own question.

        Create a URL Table alias and use this site http://www.ipdeny.com/ipblocks/ and point the alias to the zone file you want to use.

        I experimented with adding all the IP's to a backed up config then importing it, and while it works, the WebGUI really isn't designed to handle editing it.

        With nested aliases you can even allow or block multiple countires per rule.

        From another post these aliases aren't updated automatically but it's coming (can't find the damn post now though that said that)

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.