One of my ipFire OpenVPN road warriors is going overseas, traveling to a country that I have blocked using Geolocation blocking in ipFire. If I set up a firewall rule that allows traffic to and from the user’s overseas IP address, will that take precedence over the Geolocation block, or do I have to open a Geolocation hole for the country in question?
From prior experience, I know that users can use OpenVPN from an overseas location if I unblock the country. Is that the only way I can allow OpenVPN access to work? It’s a big overseas country and the user will be there for a while. I’d like to think I could white-list an IP address while continuing to block many millions. Thanks.
Not with the location block.
My solution would be to remove said country from the location block.
Then make a firewall rule to block that country.
Then add exception for that device or OpenVPN.
The location Block works much faster since there is no need to check details.
You have to uncheck the country to make it work.
As a suggestion from experience:
Unblock the country as a whole and do not make rules to block and white-list again.
If you or your users are in a foreign country there is no guarantee that always the IP-Address stays the same, OpenVPN works as expected, routes are set right, etc.
You need access to the network sometimes really badly at least to parts of it and then you really have an environment/ a IP Address which is not white-listed and using TLS as an encryption might be enough in the time of need.
Thanks. I don’t know how to make a firewall rule to block a country. Instead, I’ll do as before; unblock the country, and rely on blocklists, IPS and firewall rules for protection from bad guys.
