Just to clarify. Do you see communication ( in and out ) with these countries or packets from these only?
In latter case, this is normal. The GeoIP filter on your side cannot influence the sender.
To block incoming connections by country, you don’t need to set up a firewall
rule anymore since there is a new page in the web interface now.
It is calles “GeoIP block” and is accessable via “Firewall→GeoIP block”. To
block incoming connections via that page (of course it is possible to set
up a firewall group and block them via a firewall rule, as you did before),
check “Enable GeoIP based blocking” and save this setting by clicking at the
“Save” button.
The GeoIP block feature only applies to inbound connections. You cannot block
outgoing connections with it, please do so by creating firewall rules.
As far I’ve understood from previous posts, the geoIP is not working anymore as the company associated to maintain the free database of IPs, is not willing to keep it free.
IPfire is working to a different and own solution, but I don’t know if and when this will be available.
@administrators: correct me if I understood differently…
GeoIP continues to work, however, the database underneath will become more and
more inaccurate as we are not capable of shipping the current version from MaxMind
any more.
We are working on libloc as a drop-in replacement, but there are still some
things to be done.
This seem consistent with the rule you wrote.
IMHO you should write two rules.
Rule #1 : from green to red GeoIP: CN deny
Rule #2 : from red GeoIP: CN to green deny
FYI, the baidu page still works, the IP seems to be in the US (based on the connection monitor),
but pretty much whatever I click does not work anymore.
I will try to confirm this using the shell tools, it’s really hard to see new events in the logs from the web page.
due to various reasons, we are no longer able to update the GeoIP database
by MaxMind (please refer to On retiring the Maxmind GeoIP database for
further information). A replacement, called libloc, is under active
development and will hopefully be ready soon.
In the meantime, the GeoIP database will become more and more inaccurate,
which is why some IP addresses might be located in a different country meanwhile;
I have not looked at Baidu in particular (they might be using a CDN in western
countries indeed).
By the way: If you do not have any port-forwarding rules in place, incoming
connections will always be dropped, no matter what the source IP address is.
@mpayette don’t forget that rule order can make a lot of difference for the obtained behaviour instead of the desired.
If you have any other rule configured into firewall (more they are, more are to be considered) the performance in processing packets can change quite dramatically.