Re: [pfSense-discussion] country blocking for single address
On Fri, Nov 26, 2010 at 01:19:15PM +0100, Eugen Leitl wrote: I have a single (OS X) box on home LAN, which I would like to block all traffic against a specific country, or several countries. There's a pfSense 2.0 package for that (which I haven't been able to make to work yet), but it blocks everything entirely. Can pfSense do this, or should I try improvising something on the OS X box with its native firewalling? A single country block takes about 20 k lines of CIDR network notation. Apparently it's possible to produce ipfw rules via a script http://macscripter.net/viewtopic.php?id=19701 for OS X. It would be nice to be able to process ~20k lines worth of CIDR into a single alias. Would that work? -- Eugen* Leitl a href=http://leitl.org;leitl/a http://leitl.org __ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense-discussion] country blocking for single address
The specific country involved might take far less than that; accuracy also matters. For example, I can block about 80% of Africa with less than ten rules. Blocking 100% of Africa takes hundreds of entries. I do recall there was a way previously discussed on-list to import huge aliases; unfortunately, I *think* it consisted of download (backup) config.xml, edit it programmatically, then upload (restore) it. I also think there are enhancement requests still open for 2.0 to make this easier, but of course I can't find them right now... -Adam Thompson athom...@athompso.net -Original Message- From: Eugen Leitl [mailto:eu...@leitl.org] Sent: Friday, November 26, 2010 06:46 To: discussion@pfsense.com Subject: Re: [pfSense-discussion] country blocking for single address On Fri, Nov 26, 2010 at 01:19:15PM +0100, Eugen Leitl wrote: I have a single (OS X) box on home LAN, which I would like to block all traffic against a specific country, or several countries. There's a pfSense 2.0 package for that (which I haven't been able to make to work yet), but it blocks everything entirely. Can pfSense do this, or should I try improvising something on the OS X box with its native firewalling? A single country block takes about 20 k lines of CIDR network notation. Apparently it's possible to produce ipfw rules via a script http://macscripter.net/viewtopic.php?id=19701 for OS X. It would be nice to be able to process ~20k lines worth of CIDR into a single alias. Would that work? -- Eugen* Leitl a href=http://leitl.org;leitl/a http://leitl.org __ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE --- -- To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] country blocking for single address
On Fri, Nov 26, 2010 at 12:34 PM, Adam Thompson athom...@athompso.net wrote: The specific country involved might take far less than that; accuracy also matters. For example, I can block about 80% of Africa with less than ten rules. Blocking 100% of Africa takes hundreds of entries. I do recall there was a way previously discussed on-list to import huge aliases; unfortunately, I *think* it consisted of download (backup) config.xml, edit it programmatically, then upload (restore) it. You don't want to do that with 20K+ entries in 1.2.x, the XML parser in 1.2.x is too slow. The countryblock package handles basically the same functionality automatically in a way that doesn't slow things down. I also think there are enhancement requests still open for 2.0 to make this easier, but of course I can't find them right now... Nothing still open as it's already done. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org