Re: [Astlinux-users] Setting up Geoblocking on Astlinux

Mon, 19 Aug 2019 07:30:54 -0700 


> On Aug 19, 2019, at 1:17 AM, Michael Knill 
> <michael.kn...@ipcsolutions.com.au> wrote:
> 
> Hi all
>  
> Is there an easy way to set up Geoblocking on the firewall?
> I would want to open up a couple of countries and block everything else.
>  
> Regards
> Michael Knill

I would start here:

Firewall External Block List
https://doc.astlinux-project.org/userdoc:tt_firewall_external_block_list

I would argue it is better to block attackers/threats rather than countries.  
Take a look at the "Country Map" for firehol_level1:

http://iplists.firehol.org/?ipset=firehol_level1

I personally use this cron entry to update threat blocklists two times a day:
--
## Reload firewall blocklists
45 05,15 * * * reload-blocklist-netset /mnt/kd/blocklists firehol_level1 
firehol_webclient spamhaus_dropv6 >/dev/null 2>&1
--
(please change the time cron slightly if you copy-paste)

I also manually create a /mnt/kd/blocklists/whitelist.netset file to make sure 
critical upstream HOST/CIDR's never get blocked ... DNS, NTP, SIP providers, 
etc. .

BTW, I do get occasional false positives for HTTP/HTTPS outbound with the 
firehol_webclient blocklist since one bad actor on a shared server results in 
blocking the shared server's IP for a period of time.

BTW, for years the "voipbl" blocklist worked well, but lately there has been 
too many false-positives to recommend.

Back to your original question, blocking countries ... create your own 
/mnt/kd/blocklists/block-country-xx.netset files, DDG'ing I found a couple 
sites offering free, *.netset compatible file formats:

http://www.ipdeny.com/ipblocks/

https://www.countryipblocks.net/acl.php
(Select Format: CIDR)

I'm sure there are other Geo-blocklists sources as well.

Note the Geo-blocklists do not need to be updated nearly as often as the threat 
blocklists do, I'm not sure but ever month (or longer) is probably enough, 
depending on how accurate you want it.

Lonnie




_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users

Donations to support AstLinux are graciously accepted via PayPal to 
pay...@krisk.org.






















					Reply via email to