It was more a question and not related to a possible bug
yes, the mentioned bug is more a feature request, too.
If I fully understood your problem, you are trying to limit connections coming from the internet (RED) to your IPFire machine to certain countries. This is precisely what bug #12025 is about, since ports for IPsec and OpenVPN are always opened up for the whole internet. While this is more user-friendly, it requires manual changes to firewall.local.
If I am mistaken: Why does adding a firewall rule via the web interface not work for you?
I’ve blocked almost every country besides Germany. However, when Dehydrated tries to update the LE certifications on IPFire, it contacts an US server. Wait - it’s the other way round: it initiates a request to port 80 from outside (using http-01 mode) on IPFire coming from an US IP-address. That access gets blocked of course.
The update of the Let’s Encrypt cert starts once each month. Since I would like to have US blocked all time, I would like to allow the country during the LE verfication/update process.
This is done via a cron job, as bash script to be precisely, and this script should open the firewall for country US and close it again after the update process.
That’s why I’ve asked fo the correct command lines for allowing and closing US