Re: [pfSense-discussion] country blocking for single address
On Fri, Nov 26, 2010 at 12:34 PM, Adam Thompson wrote: > The specific country involved might take far less than that; accuracy also > matters. > For example, I can block about 80% of Africa with less than ten rules. > Blocking 100% of Africa takes hundreds of entries. > > I do recall there was a way previously discussed on-list to import huge > aliases; unfortunately, I *think* it consisted of download (backup) > config.xml, edit it programmatically, then upload (restore) it. You don't want to do that with 20K+ entries in 1.2.x, the XML parser in 1.2.x is too slow. The countryblock package handles basically the same functionality automatically in a way that doesn't slow things down. > I also > think there are enhancement requests still open for 2.0 to make this > easier, but of course I can't find them right now... > Nothing still open as it's already done. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense-discussion] country blocking for single address
The specific country involved might take far less than that; accuracy also matters. For example, I can block about 80% of Africa with less than ten rules. Blocking 100% of Africa takes hundreds of entries. I do recall there was a way previously discussed on-list to import huge aliases; unfortunately, I *think* it consisted of download (backup) config.xml, edit it programmatically, then upload (restore) it. I also think there are enhancement requests still open for 2.0 to make this easier, but of course I can't find them right now... -Adam Thompson athom...@athompso.net > -Original Message- > From: Eugen Leitl [mailto:eu...@leitl.org] > Sent: Friday, November 26, 2010 06:46 > To: discussion@pfsense.com > Subject: Re: [pfSense-discussion] country blocking for single > address > > On Fri, Nov 26, 2010 at 01:19:15PM +0100, Eugen Leitl wrote: > > > > I have a single (OS X) box on home LAN, which I would like > > to block all traffic against a specific country, or several > > countries. > > > > There's a pfSense 2.0 package for that (which I haven't been > > able to make to work yet), but it blocks everything entirely. > > > > Can pfSense do this, or should I try improvising something > > on the OS X box with its native firewalling? > > A single country block takes about 20 k lines of CIDR network > notation. Apparently it's possible to produce ipfw rules via > a script http://macscripter.net/viewtopic.php?id=19701 for > OS X. > > It would be nice to be able to process ~20k lines worth of CIDR > into a single alias. Would that work? > > -- > Eugen* Leitl http://leitl.org";>leitl http://leitl.org > __ > ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org > 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE > > --- > -- > To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com > For additional commands, e-mail: discussion-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] country blocking for single address
On Fri, Nov 26, 2010 at 01:19:15PM +0100, Eugen Leitl wrote: > > I have a single (OS X) box on home LAN, which I would like > to block all traffic against a specific country, or several > countries. > > There's a pfSense 2.0 package for that (which I haven't been > able to make to work yet), but it blocks everything entirely. > > Can pfSense do this, or should I try improvising something > on the OS X box with its native firewalling? A single country block takes about 20 k lines of CIDR network notation. Apparently it's possible to produce ipfw rules via a script http://macscripter.net/viewtopic.php?id=19701 for OS X. It would be nice to be able to process ~20k lines worth of CIDR into a single alias. Would that work? -- Eugen* Leitl http://leitl.org";>leitl http://leitl.org __ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense-discussion] country blocking for single address
I have a single (OS X) box on home LAN, which I would like to block all traffic against a specific country, or several countries. There's a pfSense 2.0 package for that (which I haven't been able to make to work yet), but it blocks everything entirely. Can pfSense do this, or should I try improvising something on the OS X box with its native firewalling? -- Eugen* Leitl http://leitl.org";>leitl http://leitl.org __ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org