Geo IP Alias and Firewall block not working all the time

Started by Plaidy, November 10, 2020, 02:01:14 PM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
November 18, 2020, 04:17:02 PM #15
Quote from: chemlud on November 18, 2020, 04:12:56 PM
OPNsense is a stateful firewall. You have to block/allow on LAN. Don't ALLOW ANYTHING on WAN.

I am really not following here. I know it is a stateful firewall and as far as I know the rule is only allowing sessions INITIATED from the outside TO my WAN address which is then forwarded to the appropriate place on my LAN by OPNsense after the request is received.
November 18, 2020, 04:20:54 PM #16 Last Edit: November 18, 2020, 04:26:14 PM by chemlud
.
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
November 18, 2020, 04:24:01 PM #17 Last Edit: November 18, 2020, 05:22:22 PM by Plaidy
Quote from: chemlud on November 18, 2020, 04:20:54 PM
OMG.

Dude, I don't know if that response is necessary. This is an INBOUND rule we are talking about. I want to allow some inbound traffic and deny others.

Edit: As I understand it, all that WAN designation does is tell OPNsense to APPLY this rule to packets coming in to the first interface they would hit from the outside: The WAN interface.

Of those packets coming into the OUTSIDE (read: WAN) interface NOT initiated from inside my network, apply the rule that only IP subnets listed as being from DE or the US may proceed to be evaluated by the next rule in the list. If they are not listed as DE or US they will be denied.

If this is not correct, could you please tell me where the break in logic is? This has nothing to do with stateful sessions at this point. I am trying to block/allow HTTP/HTTPS traffic to my reverse proxy that sits inside my home LAN BEHIND the OPNsense box and its WAN interface and that traffic/those requests are initiated from the OUTSIDE of the OPNsense box.

Edit: Glad I started quoting all your responses for the sake of posterity ;)

I see now that you were mistaken this whole time and thought I was trying to block ALL traffic inbound and block outbound LAN traffic to everywhere but the US and DE. That would be a very bizarre thing to do and definitely not what I was trying to accomplish. Thanks for trying to give me a lesson on networking and stateful packet inspection though heh.
November 26, 2020, 10:18:44 AM #18
I don't know if this is the exact same issue I am having, but I'm seeing mail traffic hitting my mail server which should be blocked by my GeoIP alias i.e. anything not in the alias should be blocked.

When I check the IP using a general IP Location website I confirm that it's from a "blocked" country but when I check the Maxmind GeoLite2 files the subnet is not present. Checking the full database at Maxmind confirms the same, that the GeoLite2 data is simply missing the subnet so it doesn't get blocked.


Has anyone been able to replace Maxmind with anything else? I can see that IP2Location has my example subnet listed so it would block it, but I have no idea if we can use their data instead.
November 27, 2020, 02:12:34 PM #19
Quote from: Taomyn on November 26, 2020, 10:18:44 AM
...i.e. anything not in the alias should be blocked. ...

...when I check the Maxmind GeoLite2 files the subnet is not present. ...

The way you explained it, it sounds like it's working as expected. That you have an Alias with only say USA IPs in it and then an inverse source rule that if the source is not a USA IP address it is blocked. That IP from say Mexico would not be in the list for the USA in the maxmind db or your rule set. You may have meant something else but that is what I understood.
November 28, 2020, 02:18:29 PM #20
Quote from: Plaidy on November 27, 2020, 02:12:34 PM
The way you explained it, it sounds like it's working as expected. That you have an Alias with only say USA IPs in it and then an inverse source rule that if the source is not a USA IP address it is blocked. That IP from say Mexico would not be in the list for the USA in the maxmind db or your rule set. You may have meant something else but that is what I understood.


No I think I wrote it correct, I have an alias list with the US plus some EU countries so "US, CA, UK, DE, BE, FR" and as you say the rule is inversed on the source, so when an IP from RU or CN comes in it should be blocked - but it doesn't always. My server continues to receive the occasional hit from RU and other countries not on the list and when I check the IPs they're not under their respective country, so to me it's like they get included regardless.
December 03, 2020, 01:51:22 PM #21
I've been staring at the rule I use for this and I'm at that point where I'm not understanding what I am doing - overthinking the whole thing and giving me a headache.


So to step back, what's the best rule to use to block all inbound external traffic that is not in my alias of allowed countries, and on which firewall interface is the rule located? I.e. a working example please  ;D


As an alternative to blocking, something else I've been unable to achieve is a rule that instead redirects the traffic to a specific device in my DMZ.
January 13, 2021, 12:05:41 PM #22
@Plaidy; Did you get it to work?

ps Thanks for your detailed posts and for quoting chemlud.
June 03, 2021, 08:23:25 AM #23 Last Edit: June 03, 2021, 08:25:16 AM by Plaidy
Quote from: erje on January 13, 2021, 12:05:41 PM
@Plaidy; Did you get it to work?

ps Thanks for your detailed posts and for quoting chemlud.

Sorry for not replying here. I guess I don't have notifications setup when people reply to posts here. I did get it to work, or rather I gathered enough information be satisfied I guess. Still no actual explanation as to why some addresses can get through. Are you having issues?
Print
Go Up Pages 1 2
User actions