I think that whitelisting would produce a smaller rule.

The idea is to not block countries to all ports, but to block to specifics. For me, it is for Exchange. I need port 80 and 443 open for access to webmail and Remote outlook.
but I could see users wanting this to stop hacking on ftp servers, ssh, rdp, and other. you might want to lock it down to a specific ip range or your country


Block all on port 80
Allow port 80 if country = US,CA,GB,XL

I do this using another firewall product (Untangle), but I am moving back to ClearOS as I really like the email and content filtering.



right now I am working on a bash script to do this (I have echo's to debug)


#!/bin/bash
# Define chain to allow a country

echo "iptables -N Allow-Country-$1"
while read y
do
echo "iptables -A Allow-Country-$1 -s $y -j ACCEPT "
done < $2
echo "iptables -A Allow-Country-$1 -j DROP"

echo "iptables -A INPUT -p tcp --dport 80 -j Allow-Country-$1


execute like:
./Allow-geoip.sh Canada ca.zone

this will create a new chain called Allow-Country-Canada and create 4700 CIDR range entries (Canada zone file) to allow, like 216.181.240.0/21

I think that it would be lower resources on iptables to have 4700 whitelisted IP ranges than it would be to block 100's of thousands of ranges for multiple countries.

I was going to do something similar on my Exchange server, but it seems like windows firewall doesn't process in order and the best you can do is block ip's.


Thoughts?

Joe

I think that whitelisting would produce a smaller rule.

The idea is to not block countries to all ports, but to block to specifics. For me, it is for Exchange. I need port 80 and 443 open for access to webmail and Remote outlook.
but I could see users wanting this to stop hacking on ftp servers, ssh, rdp, and other. you might want to lock it down to a specific ip range or your country


Block all on port 80
Allow port 80 if country = US,CA,GB,XL

I do this using another firewall product (Untangle), but I am moving back to ClearOS as I really like the email and content filtering.



right now I am working on a bash script to do this (I have echo's to debug)


#!/bin/bash
# Define chain to allow a country

echo "iptables -N Allow-Country-$1"
while read y
do
echo "iptables -A Allow-Country-$1 -s $y -j ACCEPT "
done < $2
echo "iptables -A Allow-Country-$1 -j DROP"

echo "iptables -A INPUT -p tcp --dport 80 -j Allow-Country-$1


execute like:
./Allow-geoip.sh Canada ca.zone

this will create a new chain called Allow-Country-Canada and create 4700 CIDR range entries (Canada zone file) to allow, like 216.181.240.0/21

I think that it would be lower resources on iptables to have 4700 whitelisted IP ranges than it would be to block 100's of thousands of ranges for multiple countries.

I was going to do something similar on my Exchange server, but it seems like windows firewall doesn't process in order and the best you can do is block ip's.


Thoughts?

Joe

GeoIP Blocking

I can't find this anywhere in ClearOS, but I have used it on other firewall products.

Block all traffic going to port xxx
Allow traffic going to port xxx from 'country code' = US,CA,XL

whitelisting ip addresses with geoip is a great way of protecting exchange servers, web/ftp servers , etc

really wish ClearOS had the capability

GeoIP Blocking

I can't find this anywhere in ClearOS, but I have used it on other firewall products.

Block all traffic going to port xxx
Allow traffic going to port xxx from 'country code' = US,CA,XL

whitelisting ip addresses with geoip is a great way of protecting exchange servers, web/ftp servers , etc

really wish ClearOS had the capability