OpenVPN & IPSec works for Roadwarrior (RW) access (ipfire v173), however I want to limit acces only to two countries:
I setup two rules to allow OpenVPN & IPSec access via “Location Groups” for my country. To be sure that the rule works, selecting “DROP” in the rule it doesn’t block the access…
My rule:
Source → Location: “GeoIP IPSec access” (defined in Location Group)
No NAT
Destination → Standard networks: IPSec RW (192.168.66.0/24)
Protocol: All (but tried also with “Services”: “IKEv2 ESP IP Protocols”)
DROP (for testing)
However in DROP mode I can login from my iPhone (in 4G mode) to the IPSec network even when my country is selected in the Location drop down menu.
the source must be the local network. You want to prevent your RW users to connect TO some Geo-localized IP range. The way you did it you were preventing a connection FROM those geo-localized regions to connect TO the IP addresses of your RW users.
EDIT: keep in mind that if you are using Squid (proxy), blocking at the firewall level will not prevent your users to connect to anywhere squid connects. To control squid access, there are the ACL lists.
If you want to prevent squid to access a specific set of countries, in the source you need to put “firewall”
Just to make sure I understand. You want to have a tunnel to your IPFire from your road warrior connections, and you want that these tunnels will not be able to connect to any IP not belonging to the two countries you care, regardless of the protocol (mail, web etc.).
Yes right, only access from 2 countries.
But when enabling “Global Location Filter” to block all incoming connections then our Web-Server will not be accessible to other countries, right ?
Well yes, give only 2 countries login-acces to IPSec and OpenVPN tunnel.
The problem is when blocking all other countries in “Location Block” they will never access our Web-Server…
Maybe I’m paranoid but does it make sense to do a GeoIP-access to IPSec or OpenVPN ? Or are there any security risks when it’s open for everyone ?
I am not so expert on the firewall rules but here is my 2 pence worth.
Normally any new traffic coming in without a forward rule will be blocked.
To make the OpenVPN/IPSec setup easier then when these services are enabled an automatic firewall rule allowing entry is setup early in the firewall chain.
Looking at the flow chart at the end of this wiki page https://wiki.ipfire.org/configuration/firewall/iptables
it seems that the OpenVPN and IPSec rules for forwarding cannot be overridden in the WUI firewall rules table as they occur earlier although the GEOIPBLOCK seems to occur before the IPSec rules so at least for IPSec the GEOIPBLOCK by country should have worked.
EDIT:
This diagram is a complete image and has not been updated so is missing some new additions. It might therefore not be 100% accurate.
Anyway, if my above thoughts are correct (and that is not guaranteed) then the best bet is to create iptables rules in one of the CUSTOM chains and put that into firewall.local which gets implemented very early in the whole chain. https://wiki.ipfire.org/configuration/firewall/firewall-local