Re: [Astlinux-users] Setting up Geoblocking on Astlinux

Tue, 20 Aug 2019 12:58:31 -0700 

Thanks Lonnie. I'm learning __

I noticed in the doco that you can 'match incoming and/or outgoing' traffic but 
I couldn't see where you actually specify this e.g. I just want incoming for 
instance
Just wondering if I am missing something?

Regards
Michael Knill

On 21/8/19, 2:10 am, "Lonnie Abelbeck" <li...@lonnie.abelbeck.com> wrote:

    Michael,
    
    As your original question asked, you wanted to block all countries except 
one or two.
    
    I suppose you could be clever and block all by default in 
/mnt/kd/blocklists/blocked-hosts.netset
    --
    0.0.0.0/1
    128.0.0.0/1
    --
    and then use the whitelist to add your allowed countries .netset's 
    
    BTW, I have not tried this !
    
    But a more elegant method would be to generate a custom 
block-all-except-xx-yy.netset on an external host for your custom use.
    
    The FireHol project uses a handy script "iprange" (should be on Debian)
    https://github.com/firehol/iprange/wiki
    
    The "exclude" mode does a compliment of the added file, so in theory (not 
tested) you could start with this file:
    --
    0.0.0.0/1
    128.0.0.0/1
    --
    and then "exclude" what countries you want to allow to generate a 
block-all-except-xx-yy.netset file.
    
    The iprange command has a bunch of other unique and useful features.  
Though I'm not sure if it applies to AstLinux enough to be included ?
    
    Lonnie
    
    
    
    > On Aug 19, 2019, at 7:05 PM, Michael Knill 
<michael.kn...@ipcsolutions.com.au> wrote:
    > 
    > Thanks Lonnie for the info.
    > 
    > Regards
    > Michael Knill
    > 
    > On 20/8/19, 12:30 am, "Lonnie Abelbeck" <li...@lonnie.abelbeck.com> wrote:
    > 
    > 
    > 
    >> On Aug 19, 2019, at 1:17 AM, Michael Knill 
<michael.kn...@ipcsolutions.com.au> wrote:
    >> 
    >> Hi all
    >> 
    >> Is there an easy way to set up Geoblocking on the firewall?
    >> I would want to open up a couple of countries and block everything else.
    >> 
    >> Regards
    >> Michael Knill
    > 
    >    I would start here:
    > 
    >    Firewall External Block List
    >    
https://doc.astlinux-project.org/userdoc:tt_firewall_external_block_list
    > 
    >    I would argue it is better to block attackers/threats rather than 
countries.  Take a look at the "Country Map" for firehol_level1:
    > 
    >    http://iplists.firehol.org/?ipset=firehol_level1
    > 
    >    I personally use this cron entry to update threat blocklists two times 
a day:
    >    --
    >    ## Reload firewall blocklists
    >    45 05,15 * * * reload-blocklist-netset /mnt/kd/blocklists 
firehol_level1 firehol_webclient spamhaus_dropv6 >/dev/null 2>&1
    >    --
    >    (please change the time cron slightly if you copy-paste)
    > 
    >    I also manually create a /mnt/kd/blocklists/whitelist.netset file to 
make sure critical upstream HOST/CIDR's never get blocked ... DNS, NTP, SIP 
providers, etc. .
    > 
    >    BTW, I do get occasional false positives for HTTP/HTTPS outbound with 
the firehol_webclient blocklist since one bad actor on a shared server results 
in blocking the shared server's IP for a period of time.
    > 
    >    BTW, for years the "voipbl" blocklist worked well, but lately there 
has been too many false-positives to recommend.
    > 
    >    Back to your original question, blocking countries ... create your own 
/mnt/kd/blocklists/block-country-xx.netset files, DDG'ing I found a couple 
sites offering free, *.netset compatible file formats:
    > 
    >    http://www.ipdeny.com/ipblocks/
    > 
    >    https://www.countryipblocks.net/acl.php
    >    (Select Format: CIDR)
    > 
    >    I'm sure there are other Geo-blocklists sources as well.
    > 
    >    Note the Geo-blocklists do not need to be updated nearly as often as 
the threat blocklists do, I'm not sure but ever month (or longer) is probably 
enough, depending on how accurate you want it.
    > 
    >    Lonnie
    > 
    > 
    > 
    > 
    >    _______________________________________________
    >    Astlinux-users mailing list
    >    Astlinux-users@lists.sourceforge.net
    >    https://lists.sourceforge.net/lists/listinfo/astlinux-users
    > 
    >    Donations to support AstLinux are graciously accepted via PayPal to 
pay...@krisk.org.
    > 
    > 
    > 
    > _______________________________________________
    > Astlinux-users mailing list
    > Astlinux-users@lists.sourceforge.net
    > https://lists.sourceforge.net/lists/listinfo/astlinux-users
    > 
    > Donations to support AstLinux are graciously accepted via PayPal to 
pay...@krisk.org.
    
    
    
    _______________________________________________
    Astlinux-users mailing list
    Astlinux-users@lists.sourceforge.net
    https://lists.sourceforge.net/lists/listinfo/astlinux-users
    
    Donations to support AstLinux are graciously accepted via PayPal to 
pay...@krisk.org.


_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users

Donations to support AstLinux are graciously accepted via PayPal to 
pay...@krisk.org.

Reply via email to