a question just to be sure: I’m using GeoIP Blocking for all countries but Germany.
Today, I’ve set up a new port forwarding to an internal server address, from interface red. (I know I could use the orange interface for this but it’s a very specific setup and the server behind is already performing some others tasks).
I’ve configured this port forwarding rule to write to the firewall log, too, for testing purposes and noticed that many entries have been written, today. Not only those I expected from my tests but others too.
Because of active GeoIP blocking, can I rest assure that those access attempts from other countries are getting blocked as expected or will they reach the server in my LAN?
I’m a bit confused here because I would expect that GeoIP blocks before the port forwarding rule gets executed, hence now log entry should be written, IMO.
Thanks for this link! I’m still on core 139, which means this does not yet apply. OTH, my database might be outdated of course.
Anyway, an outdated GeoIP database does not tell if a connection attempt is being blocked or not as shown in the screenshot above.
So the question is still: is an attempt being blocked before it could reach the internal server and why is the attempt still added to the log if it has been blocked beforehand?
DNAT is processed before the firewall because it change the way through the firewall chains (INPUT or FORWARD).
The pakets will still catched by the GeoIP Block after DNAT changes.
The database is by concept outdated. Any change into RIPE assignment which has been done during these 3 months has not been reported as effective for your DB.
For instance, some subnets of Iliad provider were assigned to Italy because the French ISP/Mobile Telco opened services into italy. This happened into May 2018 and was necessary wait few months for RIPE and other services to assign subnets to Italy instead of France. Any kind of change made into RIPE database since January 2020 is not reported into your DB. For bad and for good.
Therefore, you cannot be sure or assure to no one that access attempts from other countries are getting blocked.
Moreover: with so many commercial VPN services available, in less than a hour i could be able to spoof the connection from Germany even if i am sitting on a Mallorca Beach.
OK, thanks for your explanation and I was aware about this issue more or less. Anyway, this is primarily some appreciated information about the database itself, its content, source and usage, however this does not explain my initial question about when any blocking of happens.
Nevertheless, @arne_f already posted an answer that applies.
