Geoblock, block all, allow some

[enor]

Hello,
looking into geoblocking and I am wondering how it works.

Examples displays that you define countries which to block. However I would like to block everything and allow some countries and then continue matching next rule in list if country ip is allowed(can you do that?).

Wouldn't that be faster aswell? Since it would reduce the number ip ranges to check against?

[Patrick M. Hausen]

Of course you can - depending on what precisely you want to do.

GeoIP mappings are just aliases to be used in firewall rules. So instead of ordering your rules like

- deny country X, Y, Z
- allow everything

you write

- permit country X, Y, Z
- deny everything

Firewall rules with the "quick" attribute set are processed in order. First rule to match wins. What have you tried so far and what exactly is your problem?

[enor]

Hello,
I think I overthought it.
Just going through on howto implement my current unifi setup in opnsense.

Guess what i want to achive is
- permit country X, Y, Z allow portforward ssh to ip XXX
- permit country X, Y, Z allow portforward wireguard to ip XXX
- deny everything

[Patrick M. Hausen]

Dead easy. Just compose your rules like that.

After activating the mandatory MaxMind account.

[Patrick M. Hausen]

To elaborate on that ...

Deny everything is the default and always last.

Firewall > NAT > Port Forward

Add rule, e.g. for SSH:

Interface: WAN
Source: your GeoIP object
Destination: WAN address
Destination port: 22
Redirect host: internal IP address
Associated firewall rule: Pass

That's it. As I said everything else is blocked, anyway. Just add rules as you see fit for other services.