Blocking by ASN, GeoIP, Ipdeny

Security Firewall Rules
1

Hi there,

I am trying to tighten any holes in my firewall, I dont have any detailed instructions, just was told to “make sure nobody gets in”

I got some advice from a webhosting guy saying I should block the worst offenders by ASN number and also get whole IP blocks from IPdeny.

Is that something anyone is doing with IPFire?

Or is GeoIP / Country block suffincient?

IPDeny service seems to be out of commission.

Thank you for any suggestions :slight_smile:

2

this might help get you started:

and maybe this:

this might help with ASNs:

4 Likes
3

Hi,

please stay patient until Core Update 164. It will come with a feature to help you on this one… :slight_smile:

Strictly speaking, no.

Thanks to poor abuse handling, cyber criminals have an easy time to abuse big legitimate infrastructures such as Google, Microsoft or Cloudflare (just to name a few) for hosting their C&C servers and distributing their malware. Virtually nobody can afford to block these infrastructures entirely.

Personally, I see the location-based blocking thing as some basic plausibility measure: If you know your network/users only needs to talk to a couple of countries, why not block the rest and see if anybody complains? It is far from being failsafe, but catches connections that are obviously implausible.

Also, I think filtering outgoing traffic is much more important than the inbound one - everybody does that, right? :slight_smile: This was one aspect of the Log4shell security vulnerability which really surprised me: To see how many organisations do not filter network traffic to the internet at all. Otherwise, the callbacks downloading malware would not have worked…

Thanks, and best regards,
Peter Müller

4 Likes
4

You can export the IP address by ASN using free service at

1 Like
5

Hallo @alamak

Welcome to the IPFire community.

The function you are referring to is available directly from within IPFire

https://www.ipfire.org/docs/pkgs/location

The functionality is integrated into IPFire but is also available as a standalone function. This has been picked up by some Linux Operating Systems. You can install it in Arch Linux, Debian and Ubuntu. There may be some others but the above ones I am familiar with.

The links at the end of the above IPFire documentation give you more info about the functionality and some blog posts that highlight the history.

2 Likes