GeoIP and Maxmind

Started by spetrillo, May 01, 2024, 08:20:03 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 01, 2024, 08:20:03 PM
Hello all,

I am using GeoIP with Maxmind, but wanted to setup an inbound and an outbound rule, so that nothing comes in or goes out to any country that I am blocking with Maxmind. My rules are in the attachment. Do I have this right or should I be specifying the WAN port?

Thanks,
Steve
May 01, 2024, 08:22:27 PM #1
Don't you have a "deny all" rule on WAN, anyway?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
May 01, 2024, 08:26:51 PM #2
It looks like I do, so then is GeoIP only used outbound from my environment? I thought it also blocks me from anything hitting me from the blocked countries.

May 01, 2024, 09:20:46 PM #3
How can anything hit you if "deny all" is already in place?

Inbound GeoIP is useful if you have publicly accessable services. You can then use GeoIP in those rules.

But "more deny than deny all" is simply not possible. The packets are dropped. End of story.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
May 01, 2024, 10:12:30 PM #4
I have publicly accessible websites, so I figured I would use Maxmind to limit where I get hits from.

Do I only need the inbound rule or can I use both the inbound and outbound rule?
May 01, 2024, 10:19:16 PM #5
Yes, sure.

So outbound GeoIP restrictions go on LAN - or any other internal interface, direction "in", then e.g. a destination invert and an alias that contains all the countries you want to block. Or without the invert an alias containing the countries you want to allow.

For inbound it depends if you have a firewall rule on WAN or a NAT port forward for these publicly accessible web services. Anyway the restriction goes on that rule, interface WAN, direction "in" again.

You hardly ever need "out" rules in OPNsense. The direction from a birds eye view is decided by the placement of the rule on a particular interface. Anything "from the Internet inbound" is WAN and "in". Anything "to the Internet outbound" is LAN (and OPT1, OPT2, ... if applicable) and "in".
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
May 01, 2024, 11:03:46 PM #6
Ok so this is how I have my rules setup...

My whitelist of IPs is first. Then I block all countries I do not want to see knocking on my door. Then I allow access to my websites. I think this is ther right order. The whitelist is first bc there are IPs that I want to allow but are in countries I do not want to allow.
May 01, 2024, 11:22:51 PM #7
Looks good. For a test put your own country in that block list and try to access via mobile phone or similar ...
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Print
Go Up Pages1
User actions