GeoIP Rules Question

[guyp2k]

I have them all enabled and go back and select the countries from a granular level i.e., I unselect United States, Germany (OMV), and Netherlands (OPNSense).

I assume you need to weigh out the resources needed, larger the list/countries blocked the more resources you need i.e., CPU and RAM. I run OPNSense on an i5 quad core and 32GB RAM and have no issues.

[Mondmann]

Well, almost everything - only the most necessary countries
such as US, DE, CH, AT, UK, IT, CA, BG and NL are open
Those that are required occasionally are either temporary
unlocked or traded via Tor browser.
So it's usually up to the user,
its security situation and which countries are necessary
for a smooth network operation.

By the way, here in Germany I would only - DE -release
almost nothing works on the WWW anymore.
But this is a very complex topic which I have been thinking about for years and therefore a hardware firewall has to be used for these reasons among others.

Every user should take a look at his logfiles of the firewall and draw conclusions for his security needs.

Unfortunately I'm still a beginner in firewall issues and I'm glad to have this friendly forum and
OPNsense.  :)

Greetings from Germany

[lar.hed]

It's a very loooong list...

Code Select Expand

BF
BI
BJ
BW
CD
CF
CG
CI
CM
DJ
DZ
EG
EH
ER
ET
GA
GH
GM
GN
GQ
GW
KE
LR
LS
LY
MA
ML
MR
MW
MZ
NA
NE
NG
RW
SD
SL
SN
SO
SS
ST
SZ
TD
TG
TN
TZ
UG
ZA
ZM
ZW
AR
BO
BR
BZ
CL
CO
CU
EC
GD
GP
GT
GY
HN
MX
NI
PA
PE
SV
UY
VE
AQ
SJ
AF
AM
AZ
BD
BH
BN
BT
CN
CY
GE
HK
ID
IL
IN
IQ
IR
JO
KG
KH
KP
KR
KW
KZ
LA
LB
LK
MM
MN
MO
MY
NP
OM
PH
PK
PS
QA
SA
SG
SY
TH
TJ
TL
TM
TW
UZ
VN
YE
AL
BA
BG
BY
CZ
EE
HR
HU
LT
LV
MD
ME
MK
MT
PL
RO
RS
RU
SI
SK
TR
UA
VA

[fruit]

I don't really understand why so many in this thread block outgoing GEO-IP destinations. Can someone explain why it is considered important please?

[Mondmann]

Copied from WIKI:

The control of outgoing traffic is often neglected. Many firewalls leave outbound traffic open for all ports. This opens up communication channels for malicious programs in a simple way, which are not even recognized by the operator of the machine - sending spam is a typical case. On a well-configured firewall such paths are blocked. For example, outgoing mail should only be possible via the mail server; all other paths are blocked (Under Linux/Netfilter you can bind outgoing connections to a user or group ID). Then malicious programs can still send, but will quickly be noticed in the log file.

GeoIP and Sensei are therefore an indispensable means to an end.
Therefore, if possible, keep incoming and outgoing traffic under your
Regulate control...

[lar.hed]

I don't really understand why so many in this thread block outgoing GEO-IP destinations. Can someone explain why it is considered important please?

Simple: You never know what to expect... I found out that an app on my Samsung TAB 10.5 S decided to keep a contact over TOR for some uggly reason, after that I of course uninstalled that app, but not only decided to stop GEO, but also to stop TOR. I do not need them, therefore they don't need to be able to be run thru my firewall, never ever!

YMMV - but better safe than sorry in this case.

[fruit]

Thanks for the explanations.

I do understand your reasons but I'm probably paranoid enough as it is having run IPcop, m0n0wall, smoothwall and lately OPNsense over the last almost twenty years. I'm on my own here, everything is Debian apart from very occasional and brief legacy Win7.

I don't have or use smart phones, tablets, use any social media or even multimedia, I'd consider any of those far too much of a security risk to let any of them connect to my network, but as you say, One's MMV - and that's much too far OT

[baqwas]

@Julien, very interesting question from my perspective. I am just one grain of sand on the beach but let allow me to share my GeoIP experience.

There are the Shodans, Computer Science 101 students and, of course, the professionals. Scanning as opposed persistent efforts to logon using expired accounts is routine. What surprised me is that the attempts to use long expired accounts are geographically spread (including Oceanic countries). There must be an international trade in expired accounts - scavengers of the Internet world. For my SOHO operation, my whack-a-mole approach is not efficient unless I want to do forensics (not my cup of tea). So reluctantly I have had to resort to using regions except for NA and I've had to become very, very selective with Europe.

The reason I'm mentioning all this is that OPNsense with GeoIP gives me peace of mind. This is something that my mail server (in its current version) does not perform for some lazy reason since it pays lip service to GeoIP - looks up country for individual IP addresses via GeoIP but cannot block by country/regions.

Kind regards.

[lar.hed]

Anyone who likes to watch the Live Firewall log: Start watching port 5500 in/out on WAN interface(s)....

[fruit]

Anyone who likes to watch the Live Firewall log: Start watching port 5500 in/out on WAN interface(s)....

Nothing at all here on 5500. Something you are running?

[lar.hed]

Well no, however my ISP is part of Telenor here in Sweden, and I have about 10 IPs who like to send burst of funky IP packages on port 5500. It is supposed to be one not so know communication channel for botnet....

[Julien]

If you limite your outgoing network port 55xx won't have a chance

Allow just DNS and 443 I forward 80 to 443 so don't have to open 80 outbound
Been doing this for long and very satisfied about the result