From: Stefan Schantl <stefan.schantl@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: Testing GeoIP based firewall
Date: Sat, 14 Mar 2015 16:55:27 +0100 [thread overview]
Message-ID: <1426348527.3076.469.camel@ipfire.org> (raw)
In-Reply-To: <DUB120-W15F037C7A20A9A80D76AD39C070@phx.gbl>
[-- Attachment #1: Type: text/plain, Size: 2238 bytes --]
Hello Blago Culjak,
a big thanks to you for testing the GeoIP-block feature and sharing your
experience with us.
> Hello, been testing whole day, but I'm having some major trouble while
> doing so.
>
> 1. After enabling GeoIP, don't even select any country, apply rules, I
> can't connect to WUI or SSH from RED. At what position are GeoIP
> rules? Are they overriding rules made by Incoming Firewall Access?
>
> 2. Can the quick rules made in Firewall -> GeoIP block be visible in
> Firewall->Firewall Rules, so we can get a hang of it?
>
> 3. Seems that ping is working from RED, so you do not block ICMP in
> quick rules made in Firewall -> GeoIP?
Firewall rules will be processed rule by rule, chain by chain and the
first rule which applies to a packet will be used.
The GEOIPBLOCK chain is located after the ICMPINPUT and the CONNTRACK
chain.
This still allows the System to get and response to ICMP packets on the
red interface which are required by various services to work in the
proper way. Processing the GEOIPBLOCK after the CONNTRACK chain improves
the firewall performance significant and allows to receive answer
packets for your clients in the internal network zones. Otherwise it
would not be possible to access websites or services which are hosted in
a country which is selected in the "geoip-block.cgi". This CGI script
only provides an easy to setup and globally valid block of incomming
traffic to the IPFire system. This can be distinguished as an extra
benefit of GeoIP-block and as separate feature.
The GEOIPBLOCK chain finally will be processed before the INPUTFW and
REDINPUT chains, which contains all the firewall rules which can be
created by using the web user interface.
The massively improvement of GeoIP-block can be found while create new
firewall rules by using the "firewall.cgi". Here you can find the
counties or previously created country goups and can be selected as
"Source" or "Target" for any kind of rules.
The rules which are created here, also will be displayed in the rules
overview.
Best regards,
-Stefan
>
> _______________________________________________
> Development mailing list
> Development(a)lists.ipfire.org
> http://lists.ipfire.org/mailman/listinfo/development
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
parent reply other threads:[~2015-03-14 15:55 UTC|newest]
Thread overview: expand[flat|nested] mbox.gz Atom feed
[parent not found: <DUB120-W15F037C7A20A9A80D76AD39C070@phx.gbl>]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1426348527.3076.469.camel@ipfire.org \
--to=stefan.schantl@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox