Great Stefan, thanks for clearing that up.
So, I have setup quick rule, and blocked 3 countries from that quick list (didn't use firewall.cgi). In this three countries I have servers, and I tried to connect to IpFire:444 from RED. Firewall blocked it properly.
But after 10-15sec, I can't connect to IpFire:444 from RED, from not banned countries, also can't connect from GREEN to 444, nor to port 222.
This blockage last for about 10 minutes, after that, I can connect once again. If this rule is not triggered, eg. I connect from not banned countries, my WUI interface work normal.
I can repeat this any time.
Here's my test system:
{ "profile": { "bogomips": 4001.42, "cpu": { "arch": "i686", "count": 2, "family": 6, "flags": [ "fpu", "vme", "de", "pse", "tsc", "msr", "pae", "mce", "cx8", "apic", "mtrr", "pge", "mca", "cmov", "pat", "pse36", "clflush", "dts", "acpi", "mmx", "fxsr", "sse", "sse2", "ss", "ht", "tm", "pbe", "nx", "lm", "constant_tsc", "arch_perfmon", "pebs", "bts", "aperfmperf", "pni", "dtes64", "monitor", "ds_cpl", "est", "tm2", "ssse3", "cx16", "xtpr", "pdcm", "lahf_lm", "dtherm" ], "model": 15, "model_string": "Intel(R) Core(TM)2 Duo CPU E4400 @ 2.00GHz", "speed": 2000.0, "stepping": 13, "vendor": "GenuineIntel" }, "devices": [ { "deviceclass": "60000", "driver": null, "model": "2770", "sub_model": "817a", "sub_vendor": "1043", "subsystem": "pci", "vendor": "8086" }, { "deviceclass": "60400", "driver": "pcieport", "model": "2771", "sub_model": "817a", "sub_vendor": "1043", "subsystem": "pci", "vendor": "8086" }, { "deviceclass": "40300", "driver": "snd_hda_intel", "model": "27d8", "sub_model": "8290", "sub_vendor": "1043", "subsystem": "pci", "vendor": "8086" }, { "deviceclass": "60400", "driver": "pcieport", "model": "27d0", "sub_model": "8179", "sub_vendor": "1043", "subsystem": "pci", "vendor": "8086" }, { "deviceclass": "60400", "driver": "pcieport", "model": "27d2", "sub_model": "8179", "sub_vendor": "1043", "subsystem": "pci", "vendor": "8086" }, { "deviceclass": "60400", "driver": "pcieport", "model": "27d4", "sub_model": "8179", "sub_vendor": "1043", "subsystem": "pci", "vendor": "8086" }, { "deviceclass": "c0300", "driver": "uhci_hcd", "model": "27c8", "sub_model": "8179", "sub_vendor": "1043", "subsystem": "pci", "vendor": "8086" }, { "deviceclass": "c0300", "driver": "uhci_hcd", "model": "27c9", "sub_model": "8179", "sub_vendor": "1043", "subsystem": "pci", "vendor": "8086" }, { "deviceclass": "c0300", "driver": "uhci_hcd", "model": "27ca", "sub_model": "8179", "sub_vendor": "1043", "subsystem": "pci", "vendor": "8086" }, { "deviceclass": "c0300", "driver": "uhci_hcd", "model": "27cb", "sub_model": "8179", "sub_vendor": "1043", "subsystem": "pci", "vendor": "8086" }, { "deviceclass": "c0320", "driver": "ehci-pci", "model": "27cc", "sub_model": "8179", "sub_vendor": "1043", "subsystem": "pci", "vendor": "8086" }, { "deviceclass": "60401", "driver": null, "model": "244e", "sub_model": "8179", "sub_vendor": "1043", "subsystem": "pci", "vendor": "8086" }, { "deviceclass": "60100", "driver": "lpc_ich", "model": "27b8", "sub_model": "8179", "sub_vendor": "1043", "subsystem": "pci", "vendor": "8086" }, { "deviceclass": "1018a", "driver": "ata_piix", "model": "27df", "sub_model": "8179", "sub_vendor": "1043", "subsystem": "pci", "vendor": "8086" }, { "deviceclass": "1018f", "driver": "ata_piix", "model": "27c0", "sub_model": "2601", "sub_vendor": "1043", "subsystem": "pci", "vendor": "8086" }, { "deviceclass": "c0500", "driver": "i801_smbus", "model": "27da", "sub_model": "8179", "sub_vendor": "1043", "subsystem": "pci", "vendor": "8086" }, { "deviceclass": "20000", "driver": "sundance", "model": "0200", "sub_model": "0201", "sub_vendor": "13f0", "subsystem": "pci", "vendor": "13f0" }, { "deviceclass": "20000", "driver": "r8169", "model": "8168", "sub_model": "3468", "sub_vendor": "7470", "subsystem": "pci", "vendor": "10ec" }, { "deviceclass": "20000", "driver": "atl2", "model": "2048", "sub_model": "8233", "sub_vendor": "1043", "subsystem": "pci", "vendor": "1969" }, { "deviceclass": "30000", "driver": null, "model": "0421", "sub_model": "0000", "sub_vendor": "0000", "subsystem": "pci", "vendor": "10de" }, { "deviceclass": null, "driver": "usb", "model": "0002", "subsystem": "usb", "vendor": "1d6b" }, { "deviceclass": null, "driver": "usb", "model": "0001", "subsystem": "usb", "vendor": "1d6b" }, { "deviceclass": null, "driver": "usb", "model": "0001", "subsystem": "usb", "vendor": "1d6b" }, { "deviceclass": null, "driver": "usb", "model": "0001", "subsystem": "usb", "vendor": "1d6b" }, { "deviceclass": null, "driver": "usb", "model": "0001", "subsystem": "usb", "vendor": "1d6b" }, { "deviceclass": "9/0/0", "driver": "hub", "model": "0001", "subsystem": "usb", "vendor": "1d6b" }, { "deviceclass": "9/0/0", "driver": "hub", "model": "0001", "subsystem": "usb", "vendor": "1d6b" }, { "deviceclass": "9/0/0", "driver": "hub", "model": "0001", "subsystem": "usb", "vendor": "1d6b" }, { "deviceclass": "9/0/0", "driver": "hub", "model": "0002", "subsystem": "usb", "vendor": "1d6b" }, { "deviceclass": "9/0/0", "driver": "hub", "model": "0001", "subsystem": "usb", "vendor": "1d6b" } ], "network": { "blue": true, "green": true, "orange": false, "red": true }, "system": { "kernel_release": "3.14.33-ipfire-pae", "language": "en", "memory": 1028032, "model": "System Product Name", "release": "IPFire 2.17 (i586) - core87", "root_size": 156290904, "vendor": "System manufacturer", "virtual": false } }, "profile_version": 0, "public_id": "48fdd3dea638e935dffbebc097457fdc7576a683" }
Subject: Re: Testing GeoIP based firewall From: stefan.schantl@ipfire.org To: development@lists.ipfire.org Date: Sat, 14 Mar 2015 16:55:27 +0100
Hello Blago Culjak,
a big thanks to you for testing the GeoIP-block feature and sharing your experience with us.
Hello, been testing whole day, but I'm having some major trouble while doing so.
- After enabling GeoIP, don't even select any country, apply rules, I
can't connect to WUI or SSH from RED. At what position are GeoIP rules? Are they overriding rules made by Incoming Firewall Access?
- Can the quick rules made in Firewall -> GeoIP block be visible in
Firewall->Firewall Rules, so we can get a hang of it?
- Seems that ping is working from RED, so you do not block ICMP in
quick rules made in Firewall -> GeoIP?
Firewall rules will be processed rule by rule, chain by chain and the first rule which applies to a packet will be used.
The GEOIPBLOCK chain is located after the ICMPINPUT and the CONNTRACK chain.
This still allows the System to get and response to ICMP packets on the red interface which are required by various services to work in the proper way. Processing the GEOIPBLOCK after the CONNTRACK chain improves the firewall performance significant and allows to receive answer packets for your clients in the internal network zones. Otherwise it would not be possible to access websites or services which are hosted in a country which is selected in the "geoip-block.cgi". This CGI script only provides an easy to setup and globally valid block of incomming traffic to the IPFire system. This can be distinguished as an extra benefit of GeoIP-block and as separate feature.
The GEOIPBLOCK chain finally will be processed before the INPUTFW and REDINPUT chains, which contains all the firewall rules which can be created by using the web user interface.
The massively improvement of GeoIP-block can be found while create new firewall rules by using the "firewall.cgi". Here you can find the counties or previously created country goups and can be selected as "Source" or "Target" for any kind of rules.
The rules which are created here, also will be displayed in the rules overview.
Best regards,
-Stefan
Development mailing list Development@lists.ipfire.org http://lists.ipfire.org/mailman/listinfo/development
_______________________________________________ Development mailing list Development@lists.ipfire.org http://lists.ipfire.org/mailman/listinfo/development