Michael, As your original question asked, you wanted to block all countries except one or two.
I suppose you could be clever and block all by default in /mnt/kd/blocklists/blocked-hosts.netset -- 0.0.0.0/1 128.0.0.0/1 -- and then use the whitelist to add your allowed countries .netset's BTW, I have not tried this ! But a more elegant method would be to generate a custom block-all-except-xx-yy.netset on an external host for your custom use. The FireHol project uses a handy script "iprange" (should be on Debian) https://github.com/firehol/iprange/wiki The "exclude" mode does a compliment of the added file, so in theory (not tested) you could start with this file: -- 0.0.0.0/1 128.0.0.0/1 -- and then "exclude" what countries you want to allow to generate a block-all-except-xx-yy.netset file. The iprange command has a bunch of other unique and useful features. Though I'm not sure if it applies to AstLinux enough to be included ? Lonnie > On Aug 19, 2019, at 7:05 PM, Michael Knill > <michael.kn...@ipcsolutions.com.au> wrote: > > Thanks Lonnie for the info. > > Regards > Michael Knill > > On 20/8/19, 12:30 am, "Lonnie Abelbeck" <li...@lonnie.abelbeck.com> wrote: > > > >> On Aug 19, 2019, at 1:17 AM, Michael Knill >> <michael.kn...@ipcsolutions.com.au> wrote: >> >> Hi all >> >> Is there an easy way to set up Geoblocking on the firewall? >> I would want to open up a couple of countries and block everything else. >> >> Regards >> Michael Knill > > I would start here: > > Firewall External Block List > https://doc.astlinux-project.org/userdoc:tt_firewall_external_block_list > > I would argue it is better to block attackers/threats rather than > countries. Take a look at the "Country Map" for firehol_level1: > > http://iplists.firehol.org/?ipset=firehol_level1 > > I personally use this cron entry to update threat blocklists two times a > day: > -- > ## Reload firewall blocklists > 45 05,15 * * * reload-blocklist-netset /mnt/kd/blocklists firehol_level1 > firehol_webclient spamhaus_dropv6 >/dev/null 2>&1 > -- > (please change the time cron slightly if you copy-paste) > > I also manually create a /mnt/kd/blocklists/whitelist.netset file to make > sure critical upstream HOST/CIDR's never get blocked ... DNS, NTP, SIP > providers, etc. . > > BTW, I do get occasional false positives for HTTP/HTTPS outbound with the > firehol_webclient blocklist since one bad actor on a shared server results in > blocking the shared server's IP for a period of time. > > BTW, for years the "voipbl" blocklist worked well, but lately there has > been too many false-positives to recommend. > > Back to your original question, blocking countries ... create your own > /mnt/kd/blocklists/block-country-xx.netset files, DDG'ing I found a couple > sites offering free, *.netset compatible file formats: > > http://www.ipdeny.com/ipblocks/ > > https://www.countryipblocks.net/acl.php > (Select Format: CIDR) > > I'm sure there are other Geo-blocklists sources as well. > > Note the Geo-blocklists do not need to be updated nearly as often as the > threat blocklists do, I'm not sure but ever month (or longer) is probably > enough, depending on how accurate you want it. > > Lonnie > > > > > _______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. > > > > _______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
