Country Blocks

[pvols1979]

Is there a way to do GeoIP country blocks?  I am doing that in the packet filter currently, but I would like to do it through Sensei and have applications and web filters take precedence, then country blocks.

[sy]

Hi,

GeoIP filter is possible in Zenarmor (Sensei) capability but not supported as configuration yet. I will forward it to the product team as a suggestion.

[jclendineng]

Is there a way to do GeoIP country blocks?  I am doing that in the packet filter currently, but I would like to do it through Sensei and have applications and web filters take precedence, then country blocks.

You can do this through opnsense firewall rules, probably better to do it that way.

[pvols1979]

I realize that I can do blocks in the pf, and I am currently doing that now.  The problem I am having is when I have an application that I want to allow across all countries.  So, I want the allow in Sensei to take precedence over my lower level pf rules for country blocks or have the ability to do the country blocks in Sensei and be able to configure the precedence.

[mb]

A feedback request here:

Are you getting value from Geo-IP blocks? We had lowered the priority of GeoIP blocking a bit since we were thinking that attackers are utilizing infrastructure in the western world to bypass this technique.

What is your experience?

[jclendineng]

This is right.  Any actual (most at least) attacks come from proxy/vpn in other countries.  The best bet is leave China/Russia blocked in pf, then do actual fine tuning of suricata for attack sigs and sensei or something else for proxies etc.  I personally use all the above, I have firehol levels 1-4, proxy and an aggregate list from 0 day reports among other aliases in pf, and sensei for everything else.  Firewalls are multi layered and there isnt a 1-stop shop for everything.