This feature is not available on Firewalla Red.
What is Geo-IP Filtering?
Firewalla allows you to create blocking rules to block connections from a geographic location. This feature is useful if you want to prevent your network from talking to IP addresses in another country, and can be an effective way to stop hackers from attacking your family & businesses.
We use the IP address to determine the location of the connection, the list of IP addresses is managed by Firewalla Cloud and updated in real-time.
How to use it?
Users can manually create blocking rules to block any region.
| Red | Blue | Blue Plus/Purple | Gold | |
|---|---|---|---|---|
| Number of regions supported | - | up to 3 | up to 10 | no limit |
Follow these steps to create a rule,
- Tap on "Rules" on Box main page, Tap on "+" to create a blocking rule.
- Select the Block Target -> Region, select a region you want to block, tap on "Done".
- Select any device/ all devices to apply to.
- Save the blocking rule.
Why do I still see traffic from the blocked region?
The geo info of the IP address changes constantly. And Firewalla will try its best to keep up with the change. If you only see exceptional IP once then there's a good chance that everything is working well.
Can I block all countries and only allow "USA"?
You can, but you shouldn't. Here is why:
- Firewalla regional blocks are based on IP address locations, and this IP-to-location information is never perfectly accurate. (IP and location do move around) In case this info is wrong, you may be blocking the wrong regions.
- The internet is distributed. Sometimes important sites may be in another country. For example, shopify.com, which is where many e-commerce stores are based, is Canadian. If you block Canada, you will likely block Firewalla.com. (The same goes for many streaming/cache servers)
- Firewalla does have an ingress firewall, which blocks all incoming traffic from everywhere, so you do not have to worry about outside to inside traffic. See https://help.firewalla.com/hc/en-us/articles/360049856394-How-to-Secure-Your-Network-with-Firewalla-Part-3-Protect
- If you do want to block egress (inside to outside) traffic, we highly recommend you NOT to block everything in the world ... it will cause issues to your network.
Comments
17 comments
It would be better to block by region (North America, Europe, Asia, etc.) rather than by country. Even better is block everything except a region so only allow North America for instance.
@Todd
This is an interesting request. Do you want to use it for business or personal?
Block by region may generate too many ACLs in the box. Maybe Gold can do that.
Block everything except a region is a good idea, we are working on white list feature, which will have better performance than black list feature in your scenario.
Melvin
I am a home user. I had the RDP port open and was getting warnings constantly from all over the world. Block everything except a white list would have solved the issue because I only want to access the RDP from one IP address.
Make sense.
For now, the workaround I can suggest is changing the port from default 3389 to higher port, such as 34589, which will significantly reduce the number of alarms. Because the scanners usually only scan well-known ports.
Hi, can I piggyback on this request. I recently installed a blue firewalla on a small business network and its working well so far but I do think it would make sense to have a whitelist by region, it would use less memory on the device than maintaining a massive list of county specific IP addresses that need to be updated and blocked, and would allow for better protection because in my case this is a small business doing work in the US only. They have no foreign clients or tech needs. I know a attackers could just use a US endpoint vpn or run an attack from a compromised machine in the US, but those would be easier to monitor than attacks from anyone in the world.
@Christoph
The white list feature will be supported in the next release.
Melvin
Hi, I use the Geo-filtering but I figured out that it only deals with outgoing streams.
I would like to prevent some regions to access my server behind my Firewalla (Gold) . Is it possible to filter in-going streams as well ?
Geo region blocks should be both ways.
If you see it is not blocking inward, please let us know via help@firewalla.com
Has the white list feature mentioned for "the next release" from six months ago been in fact released? Is there any description of how that works? I'd like to block every country outside the US as an example.
@mike, that feature been there for a while. see https://help.firewalla.com/hc/en-us/articles/360049457753-Firewalla-Box-Release-1-970-Device-Groups-Allow-Rule-Domain-Blocking-and-More-
look for "allow" rules.
Also, we seriously do not recommend block countries other than the US. It will likely create problems. As many servers are located in different places. For example, our store site is owned by shopify, and shopify site is located in Canada ...
Sorry, to be clear I want to be able to block incoming traffic from all countries outside the US. I didn't think that would impact sessions with non-US servers I might visit ... would it? I have no need for any IP address outside the US trying to initiate an inbound connection to my private network. Will Firewalla Blue work for this?
Hello,
This is a great request. Would like to see Bi-Directional Geo-Location blocking whether it be default Geo-Location blocking and you have to white list the Geo-Location you want, or allow for mass selection of Feo-Location you want to block. Either way will be great for Firewalla Gold and possibly Blue Plus.
The rule logic is limited, so it seems not possible to allow USA only inbound for a port forward. I can create a rule to allow TCP 20000 to host X, or allow region USA to host X. With either rule in place along with the port forward = successful remote.
Not sure what allow region USA rule along with the port forward is accepting. Is this blanket allowing any incoming traffic?
The address 172.94.104.62 is in Italy but doesn’t seem to be recognised by firewalla as belonging to the Italian region
My thoughts about the geo-blocking feature (and others):
I think (just guessing) what a lot of people want is the following:
Block any INCOMING connection from ANY country EXCEPT my own to open port xxx.
Stop processing rules if there is an incoming connection from ANY other country.
I think this would make the Firewalla a lot more versatile.
Hi Firewalla,
How about a better description of this function.
Or really meaning a region when you say region!
Currently choices are countries, not really a region.
Describe it correctly:
Countries are individual,
Regions are groups of countries.
When the hardware limits one to 3 or 10 selections -
Could you please add choices that really cover regions- such as North America , Europe, or Western Europe, Eastern Europe, Asia, etc.
Or let the user create a larger encompassing area .
??????
Thank you for your consideration and response.
I agree with others and Mark on this request. I do this already with Sophos Firewall to only allow United Stated on this port to come in and port forward to a server.
Please sign in to leave a comment.