[SOLVED] Country Blocks

Started by Julien, July 09, 2016, 12:24:50 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 09, 2016, 12:24:50 AM Last Edit: July 11, 2016, 11:11:20 AM by franco
Hi Guys,
we got a lot of chines, Russian Deny attempt in the firewall.
i want to block those attempt .
i found this tutorial https://docs.opnsense.org/manual/how-tos/ips-geoip.html
the issue i have now is the firewall doesn't have a HDD but a 64GB SD.
is this even still possible or the IP GEOIP need right to writ to the SD which is not possible with SD ?
thank you
DEC4240 – OPNsense Owner
July 11, 2016, 11:11:09 AM #1
Hi Julien,

The Intrusion Detection GeoIP is not the most useful we have found.

There's a better country-block option using Firewall: Aliases, just take a look there... very easy to configure and to be used in the firewall rules. (Make sure you are on the latest version.)


Cheers,
Franco
July 11, 2016, 05:22:34 PM #2
thank you Franco.
do you guys have some manual for this IP GEO ?
i would appreciate it
DEC4240 – OPNsense Owner
July 11, 2016, 06:40:03 PM #3
Hey Julien,

Not at this point. It's on our schedule, but not before 16.7 is out. It's the holiday season after all. ;)

The usage is simple: Add a new alias, enter a name, select "GeoIP" from the types, select the IP protocol (IPv4 is the default), pick a number of Countries from the list and save when you're done. Afterwards, you'll be able to reference the alias from the firewall rules under source or destination.


Cheers,
Franco
July 12, 2016, 03:41:18 AM #4
nice, but could be more efficient to be able to specify both ipv4 and ipv6 or at least clone/copy one to a new one so that can be tweaked.

just a suggestion from someone who now is making two very long lists and hoping they are the same.
nrf
July 12, 2016, 06:34:08 AM #5
Hi nrf,

I agree. The lists are separated as globally as IPv4 and IPv6, so that design choice was made so, but I think we should be able to get a "both" option too by merging both lists. We'll look into this, thanks.


Cheers,
Franco
July 12, 2016, 12:41:47 PM #6
thanks for your kind consideration. given it is kind of a one-time thing I will be patient for such an improvement!
July 14, 2016, 01:28:13 AM #7
so a guy has to ask, given that either intrusion prevention or firewall rules can do this, are there any pros/cons to one or the other? importantly, performance differences?

thanks for your participation in this forum!
July 16, 2016, 09:38:46 PM #8
The intrusion detection feature was added earlier to allow users to employ geolocation-based policies.

But as we later found that Suricata integration for GeoIP in OPNsense is not as useful as we wanted it to be as it does not tie into our normal firewall rules, we decided to allow geolocation-based aliases in the firewall itself.

Both features use the same database, but the latter is more flexible and capable.
February 24, 2017, 04:42:34 AM #9
Hi, I don't see any option to select aliases in the rule creation page.
February 24, 2017, 08:41:35 AM #10
Just check your source and/or destination, the aliases are in the list (for both addresses and ports).
Print
Go Up Pages1
User actions