Did I miss something or does GeoIP blocking only work on inbound traffic? It seems to me, especially with all of the filtering and malware/ransomware these days, that egress filtering is at least as important. I’ve been searching and I found some scripts that someone wrote to copy the inbound rules to outbound but this really needs to be a main feature. https://forum.ipfire.org/viewtopic.php?t=17212
Since you can control this traffic a lot better, you should simply configure the firewall to block everything and then open what you need to. Since GeoIP filters are inaccurate, you should do that with IP addresses or ranges.
1 Like
Hi,
just for the records: The reference documentation for creating firewall rules is available here. 
Using a country or a group of countries as a destination is supported and works out of the box.
Thanks, and best regards,
Peter Müller
2 Likes
I tried to deny all at one time and whitelisted countries as needed (back with Maxmind GeoIP) but even with whole countries in my whitelists they got pretty big. There are a lot of companies that have servers spread all over which doesnt help. So after that mess I tried just blocking the “top spammers”. While I agree that the deny all and create a whitelist method is better, it’s also a real pain, especially with GeoIP not being all that accurate like you mentioned. I cant imagine having to whitelist each net block I want to communicate with Maybe if someone was paying me but not at home. Do you have an article that suggest a set of minimum firewall rules? I deny all inbound and strictly filter any open ports but am talking about outbound filtering here with this post. It’s just another layer to prevent links for malware/phishing/ransomware from working. Thanks!
I saw your blog post Firewall configuration recommendations for IPFire users this morning. Thanks!
2 Likes