Is there a why to block a whole country?
I would love to be able to just stop all have say mmmm china from even getting near my servers.
Well you can get data on what country the ip address comes from using stuff like http://countries.nerd.dk/ or geo ip in perl, but not sure how to use that…
There has to be a why to set this up easily.
Any have ever done there? There are so many ranges to use, certainly there is a copy and paste to this.
You probably want a network alias for this. In head there is a feature to read this from a list (see http://pfsense.org/~sullrich/pics/SampleAlias.PNG ) but it's not available in a current release.
that is a very nice feature. When is this in the releng_1 snapshot ?
Can i see this feature faster in a production release, when I post a bounty?? :)
This is a feature that has not been discusses for mfc'ing (to go into the releng_1 branch) so it should be available in the next major version. However, a bounty would raise some interest into backporting it for sure.
For blocking a whole country you can perhaps ask your ISP…
I manage some global networks arround the world that use MCI fiber links... in 2004 we have been attacked during many days by thousand of zombies from few countries (china, korea etc...). It was mostly UDP and TCP 80 flooding. We had no other choice to ask MCI to activate what they call "Emergency Shield". It stops the traffic at their peering points.
If you really have such problems blocking it at the isp level is the better way as you only can block what already has been on your line when it reaches you so your bandwidth will be utilized even when you block it at your end.