Reverse PFBlocker option ?



  • Hello,

    we use PFBlocker to block most of the world in our WAN configuration, i know, it's not recommended to do this …
    But actually it's like that, because we have a part of our IP range that should not be accessible from everywhere, but only from some countries in Europe.
    Today i noticed some SSH access, in that IP range, from ... Hong Kong ... !?
    I know that our PFBlocker is working, because i see all the blocked sources in the frontpage of our PFSense.
    So i did some search, and i found that this whole IP range in Hong Kong is well know but NOT listed in any Country IP Database ... :(

    After that, i imagined to do the contrary, to avoid to load the World's IP address to block, but to allow only the countries we want to open ...
    Do anybody know if something like this can be done ?
    Thanks to let me know.
    Best regards
    Atrocity



  • Well, no answer …

    Here i will explain my question again :

    we want to block every access from the internet, and allow only certain countries.

    Is there a way, with PFBlocker or something else (a alias loading only the IPs want to see) to make this possible ?

    Thanks for any answer.
    Best regards



  • pfBlocker uses outdated country code lists. Wait for an updated or next version and then country blocking will work again…



  • well, but we can't wait, because we have to filter out most of the world to some specific network equipements … :(



  • Get in touch with BBCan177 and ask if you can become a tester.



  • i'm a tester since some days :)
    Will see if his package can help us.
    Thanks



  • @atrocity:

    well, but we can't wait, because we have to filter out most of the world to some specific network equipements … :(

    Firewall: Aliases: Edit.
    Create two alias's Allowed IP's and Blocked IP's and link them to two txt files located on one of your internal webservers, then create all your rules you want and you dont need pfblocker then, but you do have more control with this approach.

    For example, you might have an alias for Allowed Email IP's where a txt file contains the ip address blocks you will accept email from (smtp/25) as you may do business abroad in that country, even your supplier might have their own ip address block reducing the constant updates which will invariable take place as IP's blocks get moved around.

    You could also have another alias file that contain ip address blocks for countries staff might have to visit including stop overs for connecting flights in other foreign countries, then you can have a rule to allow their iphone/android/windows phone communications with their imap/exchange servers for example. Maybe also allow some encrypted VOIP comms to avoid calls being listened into from foreign govt's when using their public telecoms infrastructure, or if you really want to be "silent", just have a vpn connection like openvpn, tunnel all traffic from your phones/laptops through the vpn and hide even more info from foreign govt's when abroad.