Hi,
will this command successfully block country US from accessing the red interface:
iptables -I INPUT -m geoip --src-cc US -j DROP
Is there any further action necessary? Or will this rule be active immediately?
And will this command allow the traffic from US?
iptables -D INPUT -m geoip --src-cc US -j DROP
I would like to open the firewall for country US prior to updating a Let’s Encrypt certificate and close the firewall right after.
Michael
It was more a question and not related to a possible bug 
Moreover It was not linked to IPSec nor to OpenVPN…
Hi,
It was more a question and not related to a possible bug
yes, the mentioned bug is more a feature request, too. 
If I fully understood your problem, you are trying to limit connections coming from the internet (RED) to your IPFire machine to certain countries. This is precisely what bug #12025 is about, since ports for IPsec and OpenVPN are always opened up for the whole internet. While this is more user-friendly, it requires manual changes to firewall.local.
If I am mistaken: Why does adding a firewall rule via the web interface not work for you?
Thanks, and best regards,
Peter Müller
I’ve blocked almost every country besides Germany. However, when Dehydrated tries to update the LE certifications on IPFire, it contacts an US server. Wait - it’s the other way round: it initiates a request to port 80 from outside (using http-01 mode) on IPFire coming from an US IP-address. That access gets blocked of course.
The update of the Let’s Encrypt cert starts once each month. Since I would like to have US blocked all time, I would like to allow the country during the LE verfication/update process.
This is done via a cron job, as bash script to be precisely, and this script should open the firewall for country US and close it again after the update process.
That’s why I’ve asked fo the correct command lines for allowing and closing US 
OK, the correct command is
iptables -D GEOIPBLOCK -m geoip --src-cc US -j DROP
or
iptables -I GEOIPBLOCK -m geoip --src-cc US -j DROP
So solved for me now!
I see, thanks for explaining that. 
