Blocking by ASN, GeoIP, Ipdeny

Hi there,

I am trying to tighten any holes in my firewall, I dont have any detailed instructions, just was told to “make sure nobody gets in”

I got some advice from a webhosting guy saying I should block the worst offenders by ASN number and also get whole IP blocks from IPdeny.

Is that something anyone is doing with IPFire?

Or is GeoIP / Country block suffincient?

IPDeny service seems to be out of commission.

Thank you for any suggestions :slight_smile:

this might help get you started:

and maybe this:

this might help with ASNs:

4 Likes

Hi,

please stay patient until Core Update 164. It will come with a feature to help you on this one… :slight_smile:

Strictly speaking, no.

Thanks to poor abuse handling, cyber criminals have an easy time to abuse big legitimate infrastructures such as Google, Microsoft or Cloudflare (just to name a few) for hosting their C&C servers and distributing their malware. Virtually nobody can afford to block these infrastructures entirely.

Personally, I see the location-based blocking thing as some basic plausibility measure: If you know your network/users only needs to talk to a couple of countries, why not block the rest and see if anybody complains? It is far from being failsafe, but catches connections that are obviously implausible.

Also, I think filtering outgoing traffic is much more important than the inbound one - everybody does that, right? :slight_smile: This was one aspect of the Log4shell security vulnerability which really surprised me: To see how many organisations do not filter network traffic to the internet at all. Otherwise, the callbacks downloading malware would not have worked…

Thanks, and best regards,
Peter Müller

4 Likes