Hi admins and developers, so we are trying to harden our security, so far ipfire has been serving my frontend to my business for over 6 years now ans all good.
I have been using Location Block for some time and it is great however to take security to the next level I attempted to block all countires except UK and IRELAND. However I still required certain PUBLIC IPS to be able to send traffic in. So I added the STATIC IPs of these servers to the Whitelisted Hosts unfortunatley this did not work. Location Block seems to take overall control and override White List.
Is there anyway to block countires but allow certain IP’s from those blocked coutries to pass through or not?
Location Block does not have any whitelist option. You were probably using the whitelist for another function such as the IDS.
The location Block is one of the first functions to be blocked so if it is blocked there it never gets to any later function or its whitelist.
However there is a way to do what you want.
First use location block to block all countries except the UK, Ireland and the countries containing the Public IP’s you want to whitelist.
Then create a Location Group under the Firewall Groups menu consisting of The countries containing the whitelist IP’s but excluding the UK and Ireland
Then create a Host Group consisting of the IP’s that you want to whitelist.
Then create a firewall rule that Allows the whitelist Host Group followed afterwards in sequence number by a firewall rule that Drops the Location Group.
This way only those countries you want IP’s from are allowed through via the Location Block.
Then the IP’s you whitelist are allowed through if they match and then any IP’s that are not whitelisted but come from the countries you want to block will be dropped.
That should do what you want to achieve.
Hopefully my description is clear enough but if you run into any problems let us know.
Hi Adolf, thanks for the quickly reply, I did mean the white list secion at the bottom of IDS , i think i tried this way too, let me have a re-check on this also 2 of the IP’s I have are CIDRs on a /26 can i try to add them on Host Group but it would not work, any ideas please?
If I understand you correctly you have some IP’s that are a range defined by aaa.bbb.ccc.ddd/26
Then you should create a Network Group with IP set at aaa.bbb.ccc.ddd and the netwmask set at 255.255.255.192
So you would end up with two Network Groups and some Host groups from the individual IP’s.
Then you can combine both of those together with the Network/Host Groups button where you can create a group from the Host Groups and the Network Groups.
Then that combined group would be used in your Allow rule.
Ah Ok so did this also but i could not getting it working but maybe from your first rely I need to set the rules in a cetain order. Thanks for the help,I will give it ago and do some testing today.
Adolf !!! I think I have it working with your help !!! I think i may have missunderstood part of your reply. So here is what I have tested, using NORD VPN and connecting in from different countires to test.
FINLAND
Blocked Finland on main Location Page
Added Finland in the Location group and added to FR Rule
Added the Finland IP adddress to Hosts
Created rule below the first rule (LOCATION)
Then In IDS (White List) Added the IP to White List
I can reach our exchange server OWA now from Finalnd but only from that IP (Test)
I would not expect the sequence that you have listed to work.
with the first line blocking Finland on the main Location Block page then nothing from Finland should be allowed through.
I will try and create some simplified examples on my system so I can provide some screenshots for you to outline what I am suggesting but that will have to wait till sometime tomorrow now.
Okay here are the screenshots of what I am proposing you should try. All my screenshots just use made up IP’s so you will need to use your own IP’s and the same with the countries involved.
First step is the Location Block. Select All and then deselect UK and Ireland and the countries that you want to have whitelisted IPs from. Here I used Finland and France.
Then create na Location Group consistring of the countries that you are whitelisting IP’s from and that are not selected in the original Location Block. In this case that is Finland and France.
Now create your first firewall rule. This will allow whitelisted IP’s to be Port Forwarded to whatever service you want. In this case I used SFTP. Rule position needs to be 1 so that it is used first. Anything that passes this firewall rule will not be filtered by any following firewall rules.
Now create a second firewall that will Drop all traffic coming from Finland and France that was not accepted through the first rule for whitelisted IP’s.
, i think i tried this way too, let me have a re-check on this also 2 of the IP’s I have are CIDRs on a /26 can i try to add them on Host Group but it would not work, any ideas please?
