Location block confusion


I decided that my Ipfire no longer does connections to IPs from the US.
I enable the Location Block feature and enable checkbox US.
So, I restart the network and check my connections under the connections.cgi, but still many connections to IP addresses from US.
Now, I tried it with firewall rules.
First-> Source: Interface: All → Destination: Location US–>Protocol: All–> Drop
Second-> Source: Location: US → Destination: Firewall: Any -->Protocol: All–> Drop
Thirtd-> Source : Standard networks: Any → Destination: Location US → Protocol: All–> Drop

I thought with these rules should no connection possible in the US, but ipfire (black IP) do every time I restart the network established connection to two or three US Servers.
How is this possible?

Thank you!

I am not an expert on the iptables aspect but from what I have seen and read over time in the forum I believe that the following is what you are experiencing.

First the Location Block only applies to incoming traffic. It does not operate at all on outgoing traffic or connections created by outgoing traffic.
Generally traffic trying to get into RED will be blocked as standard unless you have created a Port Forward rule. The intended purpose of the Location Block feature was to reduce the amount of log messages on installations running on extremely cheap flash storage.

In the second situation, where you created Firewall Rules then any IPFire system traffic that is controlled by Firewall Rules will still be allowed as those rules are positioned earlier than the WUI Firewall Rules page entries.
I suspect that what you are seeing is the Pakfire Servers, some of which are located in the US.

To stop that traffic as well, the simplest way would be change the Forward and Outgoing traffic policies from Allowed to Blocked.

That will stop everything and you can then create the rules for the traffic you want to be allowed and part of that would be that anything from US would be dropped.
You would then see some messages in the Pakfire logs indicating problems when accessing any servers in the US when doing an update of the lists because they would not be able to make a connection.


ok, then wouldn’t it make sense if I only block outgoing traffic?
Because it is much easier to restrict the forward traffic to the extent that only the USA may not be addressed, than that I have to work out 100 allow rules. But how do I get updates? How do I re-enable individual countries?

What is meant by outgoing traffic? Also the OVPN server and the Tor node?
Does the web proxy also fall under this and the SSH server? How do I reach the ipfire when SSH is blocked?
And most importantly the logic of the permissions I don’t understand here anymore, no matter what I enter there I don’t get a permission for pakfire.
Which network under firewall in the rules do I have to select to mean ipfire? Red and green are somehow not.

Why is there in the log actually not next to the entries a button where you press on it, where automatically the rule for the release is defeniert, that I only have to press Apply changes? That would be too easy or?

When you say “Outgoing” I suspect you mean the traffic going from your Green zone to the Red zone.
In IPFire this traffic is called Forward.
Outgoing is the traffic from IPFire itself outwards.
Only changing the Forward policy to Blocked would certainly be easier but then things such as Pakfire accessing the US mirrors can not be blocked from the WUI Firewall system.
You can create iptables rules in firewall.local and place them in the appropriate CUSTOM chain. These CUSTOM chains are processed before the other chains pre-defined by IPFire.

Tor would be covered by the Forward policy. You would need to create rules to allow the Tor traffic outwards via its required ports if the policy was changed to Blocked. You would also need rules for browsing etc.
OVPN Server, Web Proxy and SSH are covered by the Outgoing policy. This also covers Pakfire, DNS and NTP and any other service provided directly via the IPFire system. If this was blocked then, yes you would need rules to allow all these services.

No one has written the code to create that. That is why there is no button present in the log.
I suspect that it would turn out not to be as easy as expected to code it. You would have to figure out which chain the dropped or rejected traffic should be coded into, whether NAT is required, whether the source port should be specified or left blank etc.


This helped clarify it for me.
I use mostly location groups and firewall rules.

Nope I mean all connections from ipfire itself… my forward rule works from green to red that all connections to US are blocked.

Why? Its a proxy like squid and a node should be not on the green side it should be black before connecting to any network from me.

Ah, I thought it is only away on my side :smiley: and all others can work with this practical tool.
I think it is so easy, for all normal users. Ok we need 3 buttons for outgoing, forward and incoming rule creation and you can edit the rule like you want for other ports or protocols.
But when I read the log and create a rule to allow this blocked traffic with the right destination, source, protocolls and ports and then the tests of this is a failture it is very frustrated.
I don’t know what is the dirt the log or my understanding how it should be. I am a very logical person but this rule creation or the writen log it is not.

Perhaps you can help me… my main target is to cut the connection from windows to Microsoft. So how should be the rules? Next thing I would like to cut all connection in the US expect one service i will use. Can I use hostname in the rules or only IPs/Networks?

You probably know that Windows Firewall does have some functionality to block applications accessing the Internet. The problem is in identifying and locating the unknown ‘actors/agents/services/etc’. You could try blocking all traffic and have a look at your logs to see what is trying to get out.
A lot of the traffic to those destinations is over port 443 and thus is encrypted. Without creating a ‘man-in-the-middle’ I can only suggest whitelisting or blacklisting.

1 Like