OPNsense Forum
Archive => 20.7 Legacy Series => Topic started by: guyp2k on August 09, 2020, 03:26:54 pm
-
Would the following rules be sufficient for GeoIP?
(http://)
-
Hello,
Although I'm a newcomer to OPNsense, I have this
via a floating rule for "all interfaces"
and therefore the rule should apply to incoming and outgoing traffic.
(Should my rule be faulty, I would be happy about further contributions...)
Greetings from Germany
-
Okay, let's combine both your efforts then: Floating rule for sure, and both destination and source, in and out.
-
@ lar.hed
Okay, understood, with the proposed rule
the source and/or destination (GeoIP) is blocked.
Got it corrected right in my floating.
Thanks! :)
-
Thanks for the replies and here are my GeoIP floating rules:
-
@guyp2k
I think more like this -> see attachment...
Direction in and out and do not forget the interfaces
...concerning the rule...
-
Thanks again, scaled down to 2 floating rules and added the interfaces, see attached.
-
@guyp2k
OK -> reduced to 2 floating rules and added the interfaces
Your rule is not OK yet -> please have a look at geoip_2.png again! (marked with RED) or from lar.hed BlockCountries.jpg...
you recognize your error :o
-
Updated, see attached.
Thanks
-
yes, and now take the correct description - >
Your No. 1 = Block Countries Destination
Your No. 2 = Block Countries Source
-
Thanks for all the help, new to opnsnese and still learning....
-
May I ask why you only like to run the floating rules on a specific interface?
In my case I run GeoIP block on ALL interfaces, in all directions, both source and target - since I never expect it to be there so to speak.
I also block ALL TOR exit nodes, in the same manner - All interfaces, All directions and both source and target.
-
@ lar.hed
I agree with this and have generally selected all interfaces.
in my attachment: geoip_3.png i only made my private entries unrecognizable...
* and excuse me i write my texts via translation tool
Greetings from Germany
-
No worries mate! I can read german, but it is way to long ago I wrote, so sorry I will save is all from even trying :-)
-
What countries are you blocking for in and out ?
i am just curious.
-
I have them all enabled and go back and select the countries from a granular level i.e., I unselect United States, Germany (OMV), and Netherlands (OPNSense).
I assume you need to weigh out the resources needed, larger the list/countries blocked the more resources you need i.e., CPU and RAM. I run OPNSense on an i5 quad core and 32GB RAM and have no issues.
-
Well, almost everything - only the most necessary countries
such as US, DE, CH, AT, UK, IT, CA, BG and NL are open
Those that are required occasionally are either temporary
unlocked or traded via Tor browser.
So it's usually up to the user,
its security situation and which countries are necessary
for a smooth network operation.
By the way, here in Germany I would only - DE -release
almost nothing works on the WWW anymore.
But this is a very complex topic which I have been thinking about for years and therefore a hardware firewall has to be used for these reasons among others.
Every user should take a look at his logfiles of the firewall and draw conclusions for his security needs.
Unfortunately I'm still a beginner in firewall issues and I'm glad to have this friendly forum and
OPNsense. :)
Greetings from Germany
-
It's a very loooong list...
BF
BI
BJ
BW
CD
CF
CG
CI
CM
DJ
DZ
EG
EH
ER
ET
GA
GH
GM
GN
GQ
GW
KE
LR
LS
LY
MA
ML
MR
MW
MZ
NA
NE
NG
RW
SD
SL
SN
SO
SS
ST
SZ
TD
TG
TN
TZ
UG
ZA
ZM
ZW
AR
BO
BR
BZ
CL
CO
CU
EC
GD
GP
GT
GY
HN
MX
NI
PA
PE
SV
UY
VE
AQ
SJ
AF
AM
AZ
BD
BH
BN
BT
CN
CY
GE
HK
ID
IL
IN
IQ
IR
JO
KG
KH
KP
KR
KW
KZ
LA
LB
LK
MM
MN
MO
MY
NP
OM
PH
PK
PS
QA
SA
SG
SY
TH
TJ
TL
TM
TW
UZ
VN
YE
AL
BA
BG
BY
CZ
EE
HR
HU
LT
LV
MD
ME
MK
MT
PL
RO
RS
RU
SI
SK
TR
UA
VA
-
I don't really understand why so many in this thread block outgoing GEO-IP destinations. Can someone explain why it is considered important please?
-
Copied from WIKI:
The control of outgoing traffic is often neglected. Many firewalls leave outbound traffic open for all ports. This opens up communication channels for malicious programs in a simple way, which are not even recognized by the operator of the machine - sending spam is a typical case. On a well-configured firewall such paths are blocked. For example, outgoing mail should only be possible via the mail server; all other paths are blocked (Under Linux/Netfilter you can bind outgoing connections to a user or group ID). Then malicious programs can still send, but will quickly be noticed in the log file.
GeoIP and Sensei are therefore an indispensable means to an end.
Therefore, if possible, keep incoming and outgoing traffic under your
Regulate control...
-
I don't really understand why so many in this thread block outgoing GEO-IP destinations. Can someone explain why it is considered important please?
Simple: You never know what to expect... I found out that an app on my Samsung TAB 10.5 S decided to keep a contact over TOR for some uggly reason, after that I of course uninstalled that app, but not only decided to stop GEO, but also to stop TOR. I do not need them, therefore they don't need to be able to be run thru my firewall, never ever!
YMMV - but better safe than sorry in this case.
-
Thanks for the explanations.
I do understand your reasons but I'm probably paranoid enough as it is having run IPcop, m0n0wall, smoothwall and lately OPNsense over the last almost twenty years. I'm on my own here, everything is Debian apart from very occasional and brief legacy Win7.
I don't have or use smart phones, tablets, use any social media or even multimedia, I'd consider any of those far too much of a security risk to let any of them connect to my network, but as you say, One's MMV - and that's much too far OT
-
@Julien, very interesting question from my perspective. I am just one grain of sand on the beach but let allow me to share my GeoIP experience.
There are the Shodans, Computer Science 101 students and, of course, the professionals. Scanning as opposed persistent efforts to logon using expired accounts is routine. What surprised me is that the attempts to use long expired accounts are geographically spread (including Oceanic countries). There must be an international trade in expired accounts - scavengers of the Internet world. For my SOHO operation, my whack-a-mole approach is not efficient unless I want to do forensics (not my cup of tea). So reluctantly I have had to resort to using regions except for NA and I've had to become very, very selective with Europe.
The reason I'm mentioning all this is that OPNsense with GeoIP gives me peace of mind. This is something that my mail server (in its current version) does not perform for some lazy reason since it pays lip service to GeoIP - looks up country for individual IP addresses via GeoIP but cannot block by country/regions.
Kind regards.
-
Anyone who likes to watch the Live Firewall log: Start watching port 5500 in/out on WAN interface(s)....
-
Anyone who likes to watch the Live Firewall log: Start watching port 5500 in/out on WAN interface(s)....
Nothing at all here on 5500. Something you are running?
-
Well no, however my ISP is part of Telenor here in Sweden, and I have about 10 IPs who like to send burst of funky IP packages on port 5500. It is supposed to be one not so know communication channel for botnet....
-
If you limite your outgoing network port 55xx won’t have a chance
Allow just DNS and 443 I forward 80 to 443 so don’t have to open 80 outbound
Been doing this for long and very satisfied about the result