Regional filtering is a vital feature that enables users to control Internet access based on geographic criteria. Individuals and organizations can manage which regions or countries their network traffic can interact with or be accessed from.
This feature serves various purposes, including enhancing network security by limiting exposure to certain regions known for cyber threats.
Regional Filtering with Firewalla
Firewalla provides two forms of regional filtering.
- Regional blocks at the IP layer (based on IP addresses) – Firewalla keeps a running database of each IP's location and can use this information to block IPs from certain regions.
- Top-Level Domain (TLD) blocks – Firewalla can use custom Target Lists or individual rules to block domains based on region.
Both forms of region blocks are bidirectional. That is, they will affect both ingress (incoming) and egress (outgoing) traffic.
Regional IP Blocks
To block regions at the IP layer, just create a rule blocking a certain region. Tap Rules on your box's main page and tap Add Rule. For the rule's target, tap Region, then select a region.
- Regional IP blocks are based on IP address, so it doesn't matter what the domain is. For example, firewalla.com represents a US-based company mapped to a Shopify domain. Since Shopify is Canadian, its IPs belong to Canada. If you block IPs from Canada, firewalla.com will be blocked.
- IP addresses may not always be accurate so we advise you to block as few countries as possible. The more regions you block, the more problems and false positives you may experience.
- The geographic information of each IP address is always changing, so you may still see traffic from the blocked region from time to time.
- This feature is only available on Blue, Blue Plus, Purple, and Gold units. Blue units can block up to 3 regions, Blue Plus and Purple can block up to 10, and Gold has no limit.
Top-Level Domain (TLD) Country Blocks
To block regions based on domain, create a blocking rule for a domain suffix. For example, .nl is the suffix for domains based in the Netherlands. Enter the domain suffix in one of the following formats (using Netherlands as an example):
- *.nl
- .nl
- nl
To block multiple domain suffixes, you can create a Target List in Firewalla MSP or https://my.firewalla.com. Click Target List from the left navigation bar, then click Create Target List. Enter all your targets line by line. When entering suffixes in a Target List, you must enter each suffix in the format *.[suffix], e.g. *.nl. Click Create when you're done. You can use your new Target List when creating blocking rules in MSP or my.firewalla.com.
Firewalla will treat these strings as wildcards, meaning the rule will target all matching subdomains ending with this suffix. In the rules page, the target will just be shown as the plain suffix – the app will automatically remove *. for consistency. You can find each country's TLD here: https://en.wikipedia.org/wiki/Country_code_top-level_domain
Notes:
- Not all domains can be mapped to a country. For example, shopify.com is in Canada, but the domain isn't explicitly Canadian.
- TLD blocks are very broad, so they may block legitimate traffic needed to run your software or IoT devices. If you encounter issues after implementing a TLD block, consider making exceptions using allow rules.
TLD Risky Domains
TLDs can be used to block countries, but they can also block questionable businesses. Some domains to look out for include:
*.bar
*.bid
*.click
*.club
*.cricket
*.date
*.faith
*.gdn
*.lol
*.ninja
*.party
*.pw
*.racing
*.rocks
*.science
*.space
*.stream
*.tk
*.top
*.trade
*.wang
*.webcam
*.website
*.win
*.work
*.xxx
*.xyz
*.cfd
*.discount
*.loan
*.loans
*.ooo
*.sbs
*.zip
*.live
*.degree
*.rodeo
*.makeup
*.hair
*.zone
*.fyi
*.beauty
Disclaimer: This list (example) is just a suggestion that combines research from a few different sources (including Reddit). Please use it at your discretion.
According to Bleeping Computers:
"Those that fair the worse [sic] in the ‘cumulative distribution’ category are .xyz, .icu, .ru, .cn, and tk. This means that most of the bad stuff circulating the web in terms of volume comes from these domains... " (source)
Note: not all domains that have a suspicious suffix are necessarily dangerous. Use TLD blocking at your discretion, and remember that you may need to access domains with a risky suffix occasionally.
Can I block all countries and only allow traffic from the USA?
You can, but you shouldn't. Here is why:
- The Internet is distributed globally, so blocking everything will cause issues.
- Important sites may be based in countries you don't expect. For example, shopify.com, which supports many e-commerce stores, is Canadian. If you block Canada, you will block firewalla.com (and many other shopping sites)
- IP-to-location information changes frequently. If this info is outdated or wrong, you may occasionally block regions you didn't mean to block.
- Firewalla has a built-in ingress firewall that blocks all incoming traffic, so you never have to worry about traffic from the outside breaking into your network.
Comments
19 comments
It would be better to block by region (North America, Europe, Asia, etc.) rather than by country. Even better is block everything except a region so only allow North America for instance.
@Todd
This is an interesting request. Do you want to use it for business or personal?
Block by region may generate too many ACLs in the box. Maybe Gold can do that.
Block everything except a region is a good idea, we are working on white list feature, which will have better performance than black list feature in your scenario.
Melvin
I am a home user. I had the RDP port open and was getting warnings constantly from all over the world. Block everything except a white list would have solved the issue because I only want to access the RDP from one IP address.
Make sense.
For now, the workaround I can suggest is changing the port from default 3389 to higher port, such as 34589, which will significantly reduce the number of alarms. Because the scanners usually only scan well-known ports.
Hi, can I piggyback on this request. I recently installed a blue firewalla on a small business network and its working well so far but I do think it would make sense to have a whitelist by region, it would use less memory on the device than maintaining a massive list of county specific IP addresses that need to be updated and blocked, and would allow for better protection because in my case this is a small business doing work in the US only. They have no foreign clients or tech needs. I know a attackers could just use a US endpoint vpn or run an attack from a compromised machine in the US, but those would be easier to monitor than attacks from anyone in the world.
@Christoph
The white list feature will be supported in the next release.
Melvin
Hi, I use the Geo-filtering but I figured out that it only deals with outgoing streams.
I would like to prevent some regions to access my server behind my Firewalla (Gold) . Is it possible to filter in-going streams as well ?
Geo region blocks should be both ways.
If you see it is not blocking inward, please let us know via help@firewalla.com
Has the white list feature mentioned for "the next release" from six months ago been in fact released? Is there any description of how that works? I'd like to block every country outside the US as an example.
@mike, that feature been there for a while. see https://help.firewalla.com/hc/en-us/articles/360049457753-Firewalla-Box-Release-1-970-Device-Groups-Allow-Rule-Domain-Blocking-and-More-
look for "allow" rules.
Also, we seriously do not recommend block countries other than the US. It will likely create problems. As many servers are located in different places. For example, our store site is owned by shopify, and shopify site is located in Canada ...
Sorry, to be clear I want to be able to block incoming traffic from all countries outside the US. I didn't think that would impact sessions with non-US servers I might visit ... would it? I have no need for any IP address outside the US trying to initiate an inbound connection to my private network. Will Firewalla Blue work for this?
Hello,
This is a great request. Would like to see Bi-Directional Geo-Location blocking whether it be default Geo-Location blocking and you have to white list the Geo-Location you want, or allow for mass selection of Feo-Location you want to block. Either way will be great for Firewalla Gold and possibly Blue Plus.
The rule logic is limited, so it seems not possible to allow USA only inbound for a port forward. I can create a rule to allow TCP 20000 to host X, or allow region USA to host X. With either rule in place along with the port forward = successful remote.
Not sure what allow region USA rule along with the port forward is accepting. Is this blanket allowing any incoming traffic?
The address 172.94.104.62 is in Italy but doesn’t seem to be recognised by firewalla as belonging to the Italian region
My thoughts about the geo-blocking feature (and others):
I think (just guessing) what a lot of people want is the following:
Block any INCOMING connection from ANY country EXCEPT my own to open port xxx.
Stop processing rules if there is an incoming connection from ANY other country.
I think this would make the Firewalla a lot more versatile.
Hi Firewalla,
How about a better description of this function.
Or really meaning a region when you say region!
Currently choices are countries, not really a region.
Describe it correctly:
Countries are individual,
Regions are groups of countries.
When the hardware limits one to 3 or 10 selections -
Could you please add choices that really cover regions- such as North America , Europe, or Western Europe, Eastern Europe, Asia, etc.
Or let the user create a larger encompassing area .
??????
Thank you for your consideration and response.
I agree with others and Mark on this request. I do this already with Sophos Firewall to only allow United Stated on this port to come in and port forward to a server.
The world seems to be dividing into a few actual regions: The West, The Middle, and The Authoritarians. That last list might include:
Russia, China, North Korea, Iran, Belarus, Cuba.
I would LOVE to have a single click button to block all traffic from that list.
would like to be able to at multi select the places with a checkbox so many blocks can just go into one rule
Please sign in to leave a comment.