Hi
I’ve installed the new version available and enabled the GeoIP block. All countries have been selected to be blocked except for Italy.
Today I’ve discovered from Log-FW port thatlot of trafics come from countries supposed to be blocked…
where is the issue?
thanks
vincenzo
Hello
Did you re-validate your firewall rules?
Jerome
Ciao
as this was a complete re-installation from scratch…I had to re-create the rules…
thx
Just to clarify. Do you see communication ( in and out ) with these countries or packets from these only?
In latter case, this is normal. The GeoIP filter on your side cannot influence the sender.
Hi Bernhard
where can i see traffic (in/out) from the countries?
I’m quite new on IPF…and I need to learn…
thx
vincenzo
Hello Vincenzo,
did you get it to work ?
I blocked all countries, and it had no impact on web site access.
I must be missing a switch somewhere…
tx
Hi,
as mentioned at https://wiki.ipfire.org/configuration/firewall/geoip-block:
To block incoming connections by country, you don’t need to set up a firewall
rule anymore since there is a new page in the web interface now.It is calles “GeoIP block” and is accessable via “Firewall→GeoIP block”. To
block incoming connections via that page (of course it is possible to set
up a firewall group and block them via a firewall rule, as you did before),
check “Enable GeoIP based blocking” and save this setting by clicking at the
“Save” button.
The GeoIP block feature only applies to inbound connections. You cannot block
outgoing connections with it, please do so by creating firewall rules.
Thanks, and best regards,
Peter Müller
HI
no, it is not working…
As far I’ve understood from previous posts, the geoIP is not working anymore as the company associated to maintain the free database of IPs, is not willing to keep it free.
IPfire is working to a different and own solution, but I don’t know if and when this will be available.
@administrators: correct me if I understood differently…
thanks
Vincenzo
Hi,
GeoIP continues to work, however, the database underneath will become more and
more inaccurate as we are not capable of shipping the current version from MaxMind
any more.
We are working on libloc as a drop-in replacement, but there are still some
things to be done.
Thanks, and best regards,
Peter Müller
Hello,
I created a simple firewall rule:
Then rebooted,
and I can still go on baidu.com
and the connection monitor clearly show that I’m exchanging data with china…
I will debug some more on another day…
This seem consistent with the rule you wrote.
IMHO you should write two rules.
Rule #1 : from green to red GeoIP: CN deny
Rule #2 : from red GeoIP: CN to green deny
Hello Mr. Pike
Your suggestion works, the rules below blocks china sites:
Thanks
FYI, the baidu page still works, the IP seems to be in the US (based on the connection monitor),
but pretty much whatever I click does not work anymore.
I will try to confirm this using the shell tools, it’s really hard to see new events in the logs from the web page.
Hi,
due to various reasons, we are no longer able to update the GeoIP database
by MaxMind (please refer to On retiring the Maxmind GeoIP database for
further information). A replacement, called libloc, is under active
development and will hopefully be ready soon.
In the meantime, the GeoIP database will become more and more inaccurate,
which is why some IP addresses might be located in a different country meanwhile;
I have not looked at Baidu in particular (they might be using a CDN in western
countries indeed).
By the way: If you do not have any port-forwarding rules in place, incoming
connections will always be dropped, no matter what the source IP address is. 
Thanks, and best regards,
Peter Müller
Hello Peter,
Thanks for the info,
FYI,
My main goal at the moment is to prevent web redirect to fraudulent pages from unthrusworthy country.
If I click on a link that brings me there, I want the router to block it.
Thanks
@mpayette don’t forget that rule order can make a lot of difference for the obtained behaviour instead of the desired.
If you have any other rule configured into firewall (more they are, more are to be considered) the performance in processing packets can change quite dramatically.
