Doubt with ipfire firewall rules

feles · 30 July 2021 16:44

Hello all,

One of my firewall configurations was location block, and i say “was”
because I realize that if I set this for all countries affects to
other rules in firewall.

In this case port forwarding rules. The common sense says to me that
this could be correct due to the reason to block incoming connections
from any country is precisely reject connections.

If I’m right, any rule that means incoming traffic to any service in my
network must be set with location block disabled.

This is normal? Am I right?

cfusco · 31 July 2021 19:11

Not a developer, just a user. My guess would be that if if you check all the sources in the location database and you block all of them, with no exceptions, no traffic included in the IP ranges of the database will reach you. If that database is extremely thorough (and I suspect it is), no traffic from almost anywhere will reach you.

bonnietwin · 31 July 2021 19:37

Hi @feles

@cfusco is right. Any country blocked via Location Block will be stopped befor you get to the Port Forward rules.

See about one third down on the following wiki page

https://wiki.ipfire.org/configuration/firewall/geoip-block

So you need to allow any country that you want to have an incoming connection allowed via Port Forwarding.

feles · 31 July 2021 23:51

Thanks for your replies, as i see, location block must be disabled either for all countries or specific ones in the case of port forwarding.

That is clear stated in the wiki. I ended up with that conclusion too in an empiric way. Thank you.