Geoblocking Outbound Traffic

[nhelder]

Hi, all~

Short version: I believe I have inbound geoblocking working, but for some reason outbound geoblocking is not working (also, I'm a bit of a noob and could very easily be missing something obvious - any help appreciated).

Quite a while back back I followed the MaxMind steps here:
https://docs.opnsense.org/manual/how-tos/maxmind_geo_ip.html

Those prior steps appear to still be working, as under "Firewall > Aliases > GeoIP settings" I see:

Last updated: 2023-12-29T15:11:22
Total number of ranges: 746480

I then created an alias specific to IPs for the US and Canada that I creatively called "Geo_US_Canada". That one shows:

Last updated: 2024-01-01 18:42:50
Loaded#: 198300

From there I created a floating inbound rule blocking any IPs not in that alias, with the following settings:

Action: Block
Quick: Checked
Interface: WAN
Direction: In
TCP/IP Version: IPv4+IPv6
Protocol: Any
Source / Invert: Checked
Source: Geo_US_Canada
Destination: Any
Destination port range: Any
Description: Block inbound unless from US or Canada

This one seems to be working as expected, because if I uncheck the "Invert" option and then Apply, I'm immediately no longer able to access my internal web server from an external IP within the US (iPhone on cellular).


However, a very similar floating outbound rule doesn't appear to be working. That one is set up like:

Action: Block
Quick: Checked
Interface: [currently all four interfaces are selected]
Direction: Out
TCP/IP Version: IPv4+IPv6
Protocol: Any
Source / Invert: Checked
Source: Geo_US_Canada
Destination: Any
Destination port range: Any
Description: Block outbound unless to US or Canada

The way I've been testing to see if this rule works goes like this:

• Head over to https://ipinfo.io/countries/ru
• Grab an IP from their "Important Routers in Russia" list - e.g., 178.176.152.240
• Head over to Firewall > Diagnostics > Aliases > Geo_US_Canada
• Hit the "Update bogons" button and the "refresh" icon for good measure
• Search for "178.176" and verify that there are no matches found within the alias
• Head over to a device on my network that allows ICMP/traceroute out (happens to be an Asus AP that points to the firewall for DNS, etc.)
• Initiate Pings/traceroutes to 178.176.152.240
• See it get passed through the firewall via the "let out anything from firewall host itself (force gw)" rule
• Try accessing http://government.ru/ as a second test, page loads, logs show passed traffic via the same rule

So yeah, that's where I am. Any thoughts on what I might be missing?

Thanks,

   - Nathan

P.S. For whatever it's worth, 178.176.0.0/14 is included in the GeoLite2-Country-Blocks-IPv4.csv file, and if I create an alias for IP ranges in Russia, it is listed there... and I suppose I could create a single giant alias for all countries except the US and Canada and build my rule that way, but https://docs.opnsense.org/manual/aliases.html#geoip explicitly advises against that.

[jbhorner]

Curious why direction is "out" on your last rule. Also, it might help to just explicitly block the countries for the purpose of troubleshooting instead of using an inverted rule. (I think I only have one inverted rule on my interfaces, and that correlates to accessing private IPs across VLANs.)

So, direction is in, block source is any, destination is the Geo_US_Canada alias. Pretty things up later.

[nhelder]

Thanks for the reply.

High level of what I'm trying to achieve:

• Only allow US/Canada IPs inbound (prevent scanning from outside countries)
• Only allow devices on my network to access US/Canada based IPs

The reason for #2 is, I'm aware of a couple times at work where we've had brushes with malware following a flop - what we call a user clicking on a phish - and the thing that prevented the malware from running was that it tried to reach out to a command and control server that had a non-US-based IP, which our firewall blocked.

So, while I understand that it's relatively easy for anyone to get (or make it look like they have) a US-based IP, filtering outbound access seems like a reasonable raise-the-cyber-security-bar-a-little-bit-higher sort of step.


As for:

So, direction is in, block source is any, destination is the Geo_US_Canada alias. Pretty things up later.

Unless I'm misunderstanding, that would block inbound access from US/Canada... seems like I'd need to create a new alias that included everything except the US/Canada and then block inbound for anything in that list, which would take care of #1 above.

Then for #2, I'd use that same "the whole internet except for US/Canada" alias and block outbound access to it. Trouble is, the docs explicitly recommend against that:

Geo ip lists can be rather large, especially when using IPv6. When creating rules, always try to minimize the number of addresses needed in your selection. A selection of all countries in the world not being the Netherlands can usually be rewritten as only addresses from the Netherlands for example.

Thanks,

   - Nathan

[doktornotor]

As for:

So, direction is in, block source is any, destination is the Geo_US_Canada alias. Pretty things up later.

Unless I'm misunderstanding, that would block inbound access from US/Canada...

Huh, no. You put that on LAN interface, not WAN. Tick the invert checkbox.

And make an allow rule above this for your local nets.

P.S. And yes, do NOT create "the whole world except for one country" aliases. You do not want or need them.

[nhelder]

Ahh... so the rule for #1 above is inbound to the WAN interface, and the rules for #2 are inbound to the LAN interfaces?

Figured it might be a newbie issue... will test when I get back home. Thanks.

   - Nathan

[doktornotor]

Uhm, no.

You have two rules on LAN for outbound traffic
- allow local networks
- block NOT Geo_US_Canada

You have one rule on WAN for inbound traffic (block NOT Geo_US_Canada).

[jbhorner]

Uhm, no.

You have two rules on LAN for outbound traffic
- allow local networks
- block NOT Geo_US_Canada

You have one rule on WAN for inbound traffic (block NOT Geo_US_Canada).

Yep. This.

Related to blocking scanning on inbound, most serious threat actors tunnel through a country-local address--either through a VPN or TOR exit node. With that said, I believe that the country block rule will prevent access through an open port from countries in that alias, not prevent the scanning of open ports. I could be wrong about that, though. I could be just blowing smoke out my...foot.