17.7 Preferred way to block countries via GeoIP?

[SecAficionado]

Hi there,

As it says in the subject, I'd like to know the preferred way to block countries using GeoIP. The reason I ask is because there is contradictory information between the wiki and the Forums. In the wiki there is an example for using Suricata to block a set of countries. Googling, though, there is a link to an answer in the forum with quick instructions on how to block countries using firewall rules and aliases.

So, supposing we have a firewall with Suricata enabled and running, what is the best way to block countries using GeoIP? What are the memory considerations? I tried to build a table for United States (not) and got out of memory errors on a box with 8GB of memory. Is that sign of a bug, or was I simply trying to do something stupid?

Suricata seemed to work OK, but the logs became unmanageable. Using tables the logs are nice and clean, but I wonder if it works the same. Am I overloading the system with one over the other methodology? CPU usage seemed pretty low on both and, other than the out of memory error in the logs, the memory usage graphs showed lots of free memory.

Anyway, I know there is no simple answer, but I'd like to have some parameters to consider so I can make an informed decision. If the answer is "trial and error", then what should I look for? Memory usage? CPU usage? Error logs? What are the trade-offs? Are both options equally secure, or insecure?

Thanks in advance for your help!

[thegadget]

I am following as well.   I would really like to block certain countries as well.

[franco]

Both ways work. Suricata came first but is not as flexible.

We recommend using aliases as you can use them in individual rules and refine them as needed.


Cheers,
Franco

[SecAficionado]

Both ways work. Suricata came first but is not as flexible.

We recommend using aliases as you can use them in individual rules and refine them as needed.

Excellent. Thanks! I'm glad you recommend aliases, Ive been playing around with them and I like the way they work.

Cheers!

[Noctur]

I use them in combo..

Alias block for a huge list of known offending countries: RU, China, etc. Then Suricata for finer work. This seems less resource intensive with no impact on throughput.

[Julien]

I use them in combo..

Alias block for a huge list of known offending countries: RU, China, etc. Then Suricata for finer work. This seems less resource intensive with no impact on throughput.

How di you managed to add the alias ?
I believe you did not add IP for IP as alias ?

[Noctur]

I use them in combo..

Alias block for a huge list of known offending countries: RU, China, etc. Then Suricata for finer work. This seems less resource intensive with no impact on throughput.

How di you managed to add the alias ?
I believe you did not add IP for IP as alias ?

Firewall/Alias/View - Add New

   On Add screen, first dropdown option is Type.

   At bottom of Type dropdown list is GeoIP.

   Once select Type, at bottom of page is Aliases, and Country selection dropdown.

   From the dropdown list, select the country you want to block and press the + sign.

   Repeat for additional countries. Save List.

Firewall/Rules on Lan and Wan tabs.

   + at bottom of page to Add New

   Action - Block
   Interface - Wan or Lan
   Source - dropdown list, find your Alias you created above.

Good HowTo here: https://docs.opnsense.org/manual/how-tos/ips-geoip.html