Note! |
---|
The Location Block feature only applies to incoming connections, not to outgoing (i. e. initiated by a client within an internal network) ones. You cannot block outgoing connections with it. Please block outgoing connections by creating firewall rules. |
The intended purpose of the Location Block feature was to reduce the amount of log messages on installations running on extremely cheap flash storage. |
As of IPFire 2.25 - Core Update 148, GeoIP Block was updated to Location Block. Read the IPFire Blog A new location database for the Internet for additional information.
The firewall engine is able to process IP addresses by their geographic location. This is possible because of a database which provides geographic information to most IP addresses worldwide. This technique is called Location Block (formally known as GeoIP Block).
For example, when creating a firewall rule, the source and destination can be:
- single IP addresses or IP ranges (i.e. 89.96.211.0/16) or
- known network zones, such as GREEN or RED or
- VPN network zones or
- a country.
Thanks to this, it is possible to provide certain services only for desired countries, which might limit the attack surface of your firewall or the computers behind it. This is especially useful for mail-servers, VPN servers and VoIP port forwarding.
Location Block is accessible via menu Firewall → Location Block. To block incoming connections check Enable Location based blocking: and save this setting by clicking the Save button.
Then, select the countries you want to block by checking the box next to them. After having finished that, scroll down at the end of the page and click Save. After that, any incoming connections from those countries will be dropped instantly, even before passing some other firewall rules, e.g. port forwarding, which might allow them.
Please make sure not to block countries your firewall should be reachable from. This is important because of VoIP connections, since the "content" (RTP) of a telephone conversation is mostly transferred directly between the callers' public IPs.
In short: Unless you don't use VoIP or know that your phone company is handling "content" traffic differently, you are unreachable via phone to those countries you blocked by using the Location Block.
You can export IP blocks by country from IP2Location Firewall and applied it in IPFire.
Limitations and special issues
There are some limitations of the whole Location Block technique. Some of them are permanent, others might be fixed in the future.
Anycast networks
Large companies such as Google tend to host their servers in many different countries, mostly in their own data centers. Mostly, they don't tell where these data centers are and which IPs they cover; it is very difficult or even impossible to examine which server at Google is fulfilling your request when accessing their services. This technique is called "anycast" and is used for load balancing, datacenter redundancy, etc.
This goes for other companies as well, including content-delivery-networks (CDNs), which are also acting worldwide in many cases.
Often, the Location Block database does not provide correct information about "anycast" IP addresses. Worse, it does not even tell you that "anycast" is in use behind an IP address. Instead, it returns a country, in case of Google it is "US".
Anonymous proxies and satellite providers
You might wonder why there are two groups which don't cover an existing country: A1 and A2.
Their purpose is to cover IP addresses which cannot be located physically. Currently, there are only two groups that fact is true for:
- Anonymous Proxies - The group "A1" covers IP addresses with proxy functionalities, such as commercial or free VPN exit points, public web proxies or web redirectors, and some Tor relays.
- Satellite providers - "A2" lists IP ranges used by satellite providers. Since you can use a satellite connection (almost) anywhere in the world, it does not make sense to allocate them to a certain country.
Although both categories are not necessarily bad, they might be unwanted in some environments.
Location Block database ≠reputation database
The Location Block database is not telling you whether an IP address is "good", "bad" or "ugly". Of course, some countries are known for spreading spam and malware, such as China. Thereof, if you are not related to such a country, incoming connections from that state might be unwanted.
But the Location Block database, as mentioned in the title, is not a reputation database. In other words, it does not really replace running an Intrusion Prevention System (IPS). Make sure not to forget hardening your clients and the firewall itself.
Some IPs are not listed
The database used by IPFire is not 100% complete. In some cases, there is no correspondent entry to an address. Since the database is updated monthly, this is hopefully fixed in one of the newer versions.
Furthermore, the "A1" section is not complete, especially not looking at the Tor network. Some Tor relays are operated with changing IP addresses (dial-up IP ranges), and blocking them simply makes no sense. Others are not running in "exit" mode when checked and might be not included thereof. Blocking all anonymous users is not possible by using the IPFire Location Block filter.
View Metrics for Location Block
To view the number of hits against your firewall from countries which you are blocking:
- Go to "Firewall" menu and click "iptables"
- In the first "iptables" section, select "LOCATIONBLOCK" from the drop down list
- Click "Update"
A list of the countries blocked will be displayed along with a packet and byte count.