Messages

Ahh... so the rule for #1 above is inbound to the WAN interface, and the rules for #2 are inbound to the LAN interfaces?

Figured it might be a newbie issue... will test when I get back home. Thanks.

   - Nathan

Thanks for the reply.

High level of what I'm trying to achieve:

• Only allow US/Canada IPs inbound (prevent scanning from outside countries)
• Only allow devices on my network to access US/Canada based IPs

The reason for #2 is, I'm aware of a couple times at work where we've had brushes with malware following a flop - what we call a user clicking on a phish - and the thing that prevented the malware from running was that it tried to reach out to a command and control server that had a non-US-based IP, which our firewall blocked.

So, while I understand that it's relatively easy for anyone to get (or make it look like they have) a US-based IP, filtering outbound access seems like a reasonable raise-the-cyber-security-bar-a-little-bit-higher sort of step.


As for:

So, direction is in, block source is any, destination is the Geo_US_Canada alias. Pretty things up later.

Unless I'm misunderstanding, that would block inbound access from US/Canada... seems like I'd need to create a new alias that included everything except the US/Canada and then block inbound for anything in that list, which would take care of #1 above.

Then for #2, I'd use that same "the whole internet except for US/Canada" alias and block outbound access to it. Trouble is, the docs explicitly recommend against that:

Geo ip lists can be rather large, especially when using IPv6. When creating rules, always try to minimize the number of addresses needed in your selection. A selection of all countries in the world not being the Netherlands can usually be rewritten as only addresses from the Netherlands for example.

Thanks,

   - Nathan

[not]

Hi, all~

Short version: I believe I have inbound geoblocking working, but for some reason outbound geoblocking is not working (also, I'm a bit of a noob and could very easily be missing something obvious - any help appreciated).

Quite a while back back I followed the MaxMind steps here:
https://docs.opnsense.org/manual/how-tos/maxmind_geo_ip.html

Those prior steps appear to still be working, as under "Firewall > Aliases > GeoIP settings" I see:

Last updated: 2023-12-29T15:11:22
Total number of ranges: 746480

I then created an alias specific to IPs for the US and Canada that I creatively called "Geo_US_Canada". That one shows:

Last updated: 2024-01-01 18:42:50
Loaded#: 198300

From there I created a floating inbound rule blocking any IPs not in that alias, with the following settings:

Action: Block
Quick: Checked
Interface: WAN
Direction: In
TCP/IP Version: IPv4+IPv6
Protocol: Any
Source / Invert: Checked
Source: Geo_US_Canada
Destination: Any
Destination port range: Any
Description: Block inbound unless from US or Canada

This one seems to be working as expected, because if I uncheck the "Invert" option and then Apply, I'm immediately no longer able to access my internal web server from an external IP within the US (iPhone on cellular).


However, a very similar floating outbound rule doesn't appear to be working. That one is set up like:

Action: Block
Quick: Checked
Interface: [currently all four interfaces are selected]
Direction: Out
TCP/IP Version: IPv4+IPv6
Protocol: Any
Source / Invert: Checked
Source: Geo_US_Canada
Destination: Any
Destination port range: Any
Description: Block outbound unless to US or Canada

The way I've been testing to see if this rule works goes like this:

• Head over to https://ipinfo.io/countries/ru
• Grab an IP from their "Important Routers in Russia" list - e.g., 178.176.152.240
• Head over to Firewall > Diagnostics > Aliases > Geo_US_Canada
• Hit the "Update bogons" button and the "refresh" icon for good measure
• Search for "178.176" and verify that there are no matches found within the alias
• Head over to a device on my network that allows ICMP/traceroute out (happens to be an Asus AP that points to the firewall for DNS, etc.)
• Initiate Pings/traceroutes to 178.176.152.240
• See it get passed through the firewall via the "let out anything from firewall host itself (force gw)" rule
• Try accessing http://government.ru/ as a second test, page loads, logs show passed traffic via the same rule

So yeah, that's where I am. Any thoughts on what I might be missing?

Thanks,

   - Nathan

P.S. For whatever it's worth, 178.176.0.0/14 is included in the GeoLite2-Country-Blocks-IPv4.csv file, and if I create an alias for IP ranges in Russia, it is listed there... and I suppose I could create a single giant alias for all countries except the US and Canada and build my rule that way, but https://docs.opnsense.org/manual/aliases.html#geoip explicitly advises against that.