From mboxrd@z Thu Jan 1 00:00:00 1970 From: Stefan Schantl To: development@lists.ipfire.org Subject: Re: Testing GeoIP based firewall Date: Sat, 14 Mar 2015 16:55:27 +0100 Message-ID: <1426348527.3076.469.camel@ipfire.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============8035986546446491981==" List-Id: --===============8035986546446491981== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Hello Blago Culjak, a big thanks to you for testing the GeoIP-block feature and sharing your experience with us. > Hello, been testing whole day, but I'm having some major trouble while > doing so. > > 1. After enabling GeoIP, don't even select any country, apply rules, I > can't connect to WUI or SSH from RED. At what position are GeoIP > rules? Are they overriding rules made by Incoming Firewall Access? > > 2. Can the quick rules made in Firewall -> GeoIP block be visible in > Firewall->Firewall Rules, so we can get a hang of it? > > 3. Seems that ping is working from RED, so you do not block ICMP in > quick rules made in Firewall -> GeoIP? Firewall rules will be processed rule by rule, chain by chain and the first rule which applies to a packet will be used. The GEOIPBLOCK chain is located after the ICMPINPUT and the CONNTRACK chain. This still allows the System to get and response to ICMP packets on the red interface which are required by various services to work in the proper way. Processing the GEOIPBLOCK after the CONNTRACK chain improves the firewall performance significant and allows to receive answer packets for your clients in the internal network zones. Otherwise it would not be possible to access websites or services which are hosted in a country which is selected in the "geoip-block.cgi". This CGI script only provides an easy to setup and globally valid block of incomming traffic to the IPFire system. This can be distinguished as an extra benefit of GeoIP-block and as separate feature. The GEOIPBLOCK chain finally will be processed before the INPUTFW and REDINPUT chains, which contains all the firewall rules which can be created by using the web user interface. The massively improvement of GeoIP-block can be found while create new firewall rules by using the "firewall.cgi". Here you can find the counties or previously created country goups and can be selected as "Source" or "Target" for any kind of rules. The rules which are created here, also will be displayed in the rules overview. Best regards, -Stefan > > _______________________________________________ > Development mailing list > Development(a)lists.ipfire.org > http://lists.ipfire.org/mailman/listinfo/development --===============8035986546446491981== Content-Type: application/pgp-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" MIME-Version: 1.0 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KVmVyc2lvbjogR251UEcgdjIKCmlRSWNCQUFC Q2dBR0JRSlZCRm52QUFvSkVFN1hUaFdQazdMZTRaRVAvMVYwQytxNFJ1UkVIdktkQmtoQ2Q2VzUK ZHR1YmFkc2s4dW92S0U0SzBiQ2ZUKy9wc2M3czhHbi9lUGpKK2pTY1JuOGw1NWZOSkprZjFlQWF4 MVhYOHFKSQp5OVVvbkQwa3FEbHIyTTJ1ZzBhMm56bi9qZ2R6Y2Z0RlRKTkV4SnBjeFJwdSs2MVhI VCt2Nk4xMW82MFR0bklNCkNENWVKWEo3MWFCTXp6Vy9zcVFQbEEwT0NVblczeURGalY2akZYM1lp ZU1OODM5cVhMdklIaDA0aDBkT1lOSXkKdCt1ZE1Na3RqcEthbWZadUJMRDlieHU4TGUvaU1HN05y WHBrYzcrb3ZFTHZGVUcvSmVSNDNHeUdid1M4bVFmcQpTQWxWdEozTnFwQ3RPS05CSWx3SEpZcGFR NGJ4cFFXYmpua2NZZGYyVEUwcXlHMzNiVmxUZmRBVjllOUVFTzE3Cmx6bzh2dk10RVhtcGZtWmNV Wmltd1U4U1c2SzlsRk9jNXp4ajAzQlpEbzIrUjZBOTVkcW1uMzN2R2FMSXBSZmcKN3Y4OWRMZ3FZ aER1NXc3SU5iaXd4NmsyWm5oaWQxYmltQ3dVWUgyUjFQUnk1M20va2lzS254VVk1ZEloVEthVApK S1paK0VXV0FibFZvWlNQc1J1bXYwc0JqR242bnlyZkZhT011azlqRTJWdkxFQWRIcTB2NU03NWwx c2hkUzZuCmJyRlFlOVhLUHVmWG1NaTZCcW5QSVUvQkY5UG8ySHZJbTM3MFhhS3RXOXJtcGY4SklC NkZRNXRGdndlWGQvdUkKU1RsUk9UbVNobUU3OWVrWE1xUWJCZVlEWFdBbzNxT0VZcC8vU0xWdmF6 SThWQ2E3Ymc0NXZ2Yktody9VbFJYYgpCMnhndGxPdTYvYzNxVmwvZ09RcQo9TWRLMAotLS0tLUVO RCBQR1AgU0lHTkFUVVJFLS0tLS0K --===============8035986546446491981==--