Since Version 2.17 - Core Update 90, the firewall engine is able to process IP adresses by their geographic location. This is possible because of a database which provides geographic information to most IP addresses wordwide; this technique is called GeoIP.
For example, when creating a firewall rule, source and destination can be
- single IP addresses or IP ranges (i.e. 220.127.116.11/16) or
- known network zones, such as GREEN or RED or
- VPN network zones or
- a country.
Thanks to this, it is possible to provide certain services only for desired countries, which might limit the attack surface of your firewall or the computers behind it. This is especially useful for mailservers, VPN servers and VoIP port forwardings.
To block incoming connections by country, you don't need to set up a firewall rule anymore since there is a new page in the web interface now.
It is calles "GeoIP block" and is accessable via "Firewall→GeoIP block". To block incoming connections via that page (of course it is possible to set up a firewall group and block them via a firewall rule, as you did before), check "Enable GeoIP based blocking" and save this setting by clicking at the "Save" button.
Then, select the countries you want to block by checking the box next to them. After having finished that, scroll down at the end of the page and click "Save". After that, any connections from those countries will be rejected instantly, even before passing some other firewall rules, e.g. port forwardings, which might allow them.
Please make sure not to block countries your firewall should be reachable from. This is important because of VoIP connections, since the "content" (RTP) of a telephone conversation is mostly transferred directly between the callers' public IPs.
In short: Unless you don't use VoIP or know that your phone company is handling "content" traffic differently, you are unreachable via phone to those countries you blocked by using the "GeoIP block".
There are some limitations of the whole GeoIP technique. Some of them are permanent, others might be fixed in the future.
Large companies such as Google tend to host their servers in many different countries, mostly in their own datacenters. Mostly, they don't tell where these datacenters are and which IPs they cover; it is very difficult or even impossible to examine which server at Google is fulfilling your request when accessing their services. This technique is called "anycast" and is used for load balancing, datacenter redundancy, etc.
This goes for other companies as well, including content-delivery-networks (CDNs), which are also acting worldwide in many cases.
Often, the GeoIP database does not provide correct information about "anycast" IP addresses. Worse, it does not even tell you that "anycast" is in use behind an IP adress. Instead, it returns a country, in case of Google it is "US".
You might wonder why there are two groups which don't cover an existing country: A1 and A2.
Their purpose is to cover IP addresses which cannot be located physically. Currently, there are only two groups that fact is true for:
- Anonymous Proxies - The group "A1" covers IP adresses with proxy functionalities, such as commercial or free VPN exit points, public web proxies or web redirectors, and some Tor relays.
- Satellite providers - "A2" lists IP ranges used by satellite proviers. Since you can use a satellite connection (almost) anywhere in the world, it does not make sense to allocate them to a certain country.
Although both categories are not necessarily bad, they might be unwanted in some environments.
The GeoIP database is not telling you whether an IP address is "good", "bad" or "ugly". Of course, some countries are known for spreading spam and malware, such as China. Thereof, if you are not related to such a country, incoming connections from that state might be unwanted.
But the GeoIP database, as mentioned in the title, is not a reputation database. In other words, it does not really replace running an IDS. Make sure not to forget hardening your clients and the firewall itself.
The database used by IPFire is not 100% complete. In some cases, there is no correspondent entry to an address. Since the database is updated monthly, this is hopefully fixed in one of the newer versions.
Furthermore, the "A1" section is not complete, especially not looking at the Tor network. Some Tor relays are operated with changing IP adresses (dial-up IP ranges), and blocking them simply makes no sense. Others are not running in "exit" mode when checked and might be not included thereof. Blocking all anonymous users is not possible by using the IPFire GeoIP filter.
To view the number of hits against your firewall from countries which you are blocking:
- Go to "Firewall" menu and click "iptables"
- In the first "iptables" section, select "GEOIPBLOCK" from the drop down list
- Click "Update"
A list of the countries blocked will be displayed along with a packet and byte count