Geo-IP Filtering

Follow

Comments

15 comments

  • Avatar
    Todd Haehn

    It would be better to block by region (North America, Europe, Asia, etc.) rather than by country.  Even better is block everything except a region so only allow North America for instance.

    4
    Comment actions Permalink
  • Avatar
    Support Team

    @Todd

     

    This is an interesting request. Do you want to use it for business or personal?

     

    Block by region may generate too many ACLs in the box. Maybe Gold can do that.

     

    Block everything except a region is a good idea, we are working on white list feature, which will have better performance than black list feature in your scenario.

     

    Melvin

    0
    Comment actions Permalink
  • Avatar
    Todd Haehn

    I am a home user.  I had the RDP port open and was getting warnings constantly from all over the world.  Block everything except a white list would have solved the issue because I only want to access the RDP from one IP address.

    0
    Comment actions Permalink
  • Avatar
    Support Team

    Make sense.

     

    For now, the workaround I can suggest is changing the port from default 3389 to higher port, such as 34589, which will significantly reduce the number of alarms. Because the scanners usually only scan well-known ports.

    0
    Comment actions Permalink
  • Avatar
    Christoph Binder

    Hi, can I piggyback on this request. I recently installed a blue firewalla on a small business network and its working well so far but I do think it would make sense to have a whitelist by region, it would use less memory on the device than maintaining a massive list of county specific IP addresses that need to be updated and blocked, and would allow for better protection because in my case this is a small business doing work in the US only. They have no foreign clients or tech needs. I know a attackers could just use a US endpoint vpn or run an attack from a compromised machine in the US, but those would be easier to monitor than attacks from anyone in the world.   

    2
    Comment actions Permalink
  • Avatar
    Support Team

    @Christoph

     

    The white list feature will be supported in the next release.

     

    Melvin

    0
    Comment actions Permalink
  • Avatar
    Bertrand Florat

    Hi, I use the Geo-filtering but I figured out that it only deals with outgoing streams.

    I would like to prevent some regions to access my server behind my Firewalla (Gold) . Is it possible  to filter in-going streams as well ?

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    Geo region blocks should be both ways.  

    If you see it is not blocking inward, please let us know via help@firewalla.com

    0
    Comment actions Permalink
  • Avatar
    Mike

    Has the white list feature mentioned for "the next release" from six months ago been in fact released? Is there any description of how that works? I'd like to block every country outside the US as an example. 

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    @mike, that feature been there for a while.  see https://help.firewalla.com/hc/en-us/articles/360049457753-Firewalla-Box-Release-1-970-Device-Groups-Allow-Rule-Domain-Blocking-and-More-

    look for "allow" rules.

    Also, we seriously do not recommend block countries other than the US.  It will likely create problems.  As many servers are located in different places.   For example, our store site is owned by shopify, and shopify site is located in Canada ... 

    0
    Comment actions Permalink
  • Avatar
    Mike

    Sorry, to be clear I want to be able to block incoming traffic from all countries outside the US. I didn't think that would impact sessions with non-US servers I might visit ... would it? I have no need for any IP address outside the US trying to initiate an inbound connection to my private network. Will Firewalla Blue work for this?

    0
    Comment actions Permalink
  • Avatar
    CYSecHD

    Hello,

    This is a great request. Would like to see Bi-Directional Geo-Location blocking whether it be default Geo-Location blocking and you have to white list the Geo-Location you want, or allow for mass selection of Feo-Location you want to block. Either way will be great for Firewalla Gold and possibly Blue Plus.

    0
    Comment actions Permalink
  • Avatar
    Mike

    The rule logic is limited, so it seems not possible to allow USA only inbound for a port forward. I can create a rule to allow TCP 20000 to host X, or allow region USA to host X.  With either rule in place along with the port forward = successful remote.

    Not sure what allow region USA rule along with the port forward is accepting.   Is this blanket allowing any incoming traffic?

    0
    Comment actions Permalink
  • Avatar
    sk0rp10

    The address 172.94.104.62 is in Italy but doesn’t seem to be recognised by firewalla as belonging to the Italian region

    0
    Comment actions Permalink
  • Avatar
    Mark

    My thoughts about the geo-blocking feature (and others):

    • I would like to see an "incoming" and "outgoing" traffic checkbox.
    • It would be great to be able to choose actual regions like Europe, US, etc.
    • I would like a blacklist (block every region except the ones you specify)
    • It would be great to have a rule priority system and a "stop processing rules" checkbox.
    • The option to use dynamic lists (like an https site with a .txt list of known malware sites).

    I think (just guessing) what a lot of people want is the following:

    Block any INCOMING connection from ANY country EXCEPT my own to open port xxx.

    Stop processing rules if there is an incoming connection from ANY other country.

    I think this would make the Firewalla a lot more versatile.

    0
    Comment actions Permalink

Please sign in to leave a comment.