the source must be the local network. You want to prevent your RW users to connect TO some Geo-localized IP range. The way you did it you were preventing a connection FROM those geo-localized regions to connect TO the IP addresses of your RW users.
EDIT: keep in mind that if you are using Squid (proxy), blocking at the firewall level will not prevent your users to connect to anywhere squid connects. To control squid access, there are the ACL lists.
If you want to prevent squid to access a specific set of countries, in the source you need to put “firewall”
Just to make sure I understand. You want to have a tunnel to your IPFire from your road warrior connections, and you want that these tunnels will not be able to connect to any IP not belonging to the two countries you care, regardless of the protocol (mail, web etc.).
Well yes, give only 2 countries login-acces to IPSec and OpenVPN tunnel.
The problem is when blocking all other countries in “Location Block” they will never access our Web-Server…
Maybe I’m paranoid but does it make sense to do a GeoIP-access to IPSec or OpenVPN ? Or are there any security risks when it’s open for everyone ?
I am not so expert on the firewall rules but here is my 2 pence worth.
Normally any new traffic coming in without a forward rule will be blocked.
To make the OpenVPN/IPSec setup easier then when these services are enabled an automatic firewall rule allowing entry is setup early in the firewall chain.
Looking at the flow chart at the end of this wiki page https://wiki.ipfire.org/configuration/firewall/iptables
it seems that the OpenVPN and IPSec rules for forwarding cannot be overridden in the WUI firewall rules table as they occur earlier although the GEOIPBLOCK seems to occur before the IPSec rules so at least for IPSec the GEOIPBLOCK by country should have worked.
This diagram is a complete image and has not been updated so is missing some new additions. It might therefore not be 100% accurate.