OPNsense Forum

Archive => 16.7 Legacy Series => Topic started by: Julien on July 09, 2016, 12:24:50 am

Title: [SOLVED] Country Blocks
Post by: Julien on July 09, 2016, 12:24:50 am

Hi Guys,
we got a lot of chines, Russian Deny attempt in the firewall.
i want to block those attempt .
i found this tutorial https://docs.opnsense.org/manual/how-tos/ips-geoip.html (https://docs.opnsense.org/manual/how-tos/ips-geoip.html)
the issue i have now is the firewall doesn't have a HDD but a 64GB SD.
is this even still possible or the IP GEOIP need right to writ to the SD which is not possible with SD ?
thank you

Title: Re: Country Blocks,
Post by: franco on July 11, 2016, 11:11:09 am

Hi Julien,

The Intrusion Detection GeoIP is not the most useful we have found.

There's a better country-block option using Firewall: Aliases, just take a look there... very easy to configure and to be used in the firewall rules. (Make sure you are on the latest version.)


Cheers,
Franco

Title: Re: [SOLVED] Country Blocks
Post by: Julien on July 11, 2016, 05:22:34 pm

thank you Franco.
do you guys have some manual for this IP GEO ?
i would appreciate it

Title: Re: [SOLVED] Country Blocks
Post by: franco on July 11, 2016, 06:40:03 pm

Hey Julien,

Not at this point. It's on our schedule, but not before 16.7 is out. It's the holiday season after all. ;)

The usage is simple: Add a new alias, enter a name, select "GeoIP" from the types, select the IP protocol (IPv4 is the default), pick a number of Countries from the list and save when you're done. Afterwards, you'll be able to reference the alias from the firewall rules under source or destination.


Cheers,
Franco

Title: Re: [SOLVED] Country Blocks
Post by: nrf on July 12, 2016, 03:41:18 am

nice, but could be more efficient to be able to specify both ipv4 and ipv6 or at least clone/copy one to a new one so that can be tweaked.

just a suggestion from someone who now is making two very long lists and hoping they are the same.
nrf

Title: Re: [SOLVED] Country Blocks
Post by: franco on July 12, 2016, 06:34:08 am

Hi nrf,

I agree. The lists are separated as globally as IPv4 and IPv6, so that design choice was made so, but I think we should be able to get a "both" option too by merging both lists. We'll look into this, thanks.


Cheers,
Franco

Title: Re: [SOLVED] Country Blocks
Post by: nrf on July 12, 2016, 12:41:47 pm

thanks for your kind consideration. given it is kind of a one-time thing I will be patient for such an improvement!

Title: Re: [SOLVED] Country Blocks
Post by: nrf on July 14, 2016, 01:28:13 am

so a guy has to ask, given that either intrusion prevention or firewall rules can do this, are there any pros/cons to one or the other? importantly, performance differences?

thanks for your participation in this forum!

Title: Re: [SOLVED] Country Blocks
Post by: franco on July 16, 2016, 09:38:46 pm

The intrusion detection feature was added earlier to allow users to employ geolocation-based policies.

But as we later found that Suricata integration for GeoIP in OPNsense is not as useful as we wanted it to be as it does not tie into our normal firewall rules, we decided to allow geolocation-based aliases in the firewall itself.

Both features use the same database, but the latter is more flexible and capable.

Title: Re: [SOLVED] Country Blocks
Post by: ajzimme on February 24, 2017, 04:42:34 am

Hi, I don't see any option to select aliases in the rule creation page.

Title: Re: [SOLVED] Country Blocks
Post by: AdSchellevis on February 24, 2017, 08:41:35 am

Just check your source and/or destination, the aliases are in the list (for both addresses and ports).