Contributed by tbert on from the blocking the blockable blockheads dept.
Every now and then the same question arises on the mailing-lists: "How to block traffic from a country altogether?" While this is a "no-go" in a business-minded environment this question may be valid for a private network. If you have not the slightest doubt that there has never been and will never be any contact to servers located e.g. in Belarus ever it might rightfully assumed that blocking IPs related to Belarus should not only do no harm but will a little bit improve the security of your home network.
The obvious solution to OpenBSD-users is "Use PF!" (and alike to users of other BSDs and OS-X, of course). The core task is to collect IPs of the country to be blocked. One possible solution is to go to ipdeny.com and copy the zone-file for the country (or countries) of interest to your router and/or laptop. Put those IPs into a file that PF can load as a table and let PF block those IPs for you. But please respect ipdeny.com's usage policy.
Here is a "hands-on"-example:
I find it helpful to have a directory for any files that belong to PF.
$ sudo mkdir /etc/pf-files
In /etc/pf.conf the following needs to be added:
1. In the prerequisites-section add:
table <blocked_zones> persist file "/etc/pf-files/blocked_zones"
2. In the block-section add early:
block in quick proto tcp from <blocked_zones> to any port { 22 80 }
With the following little script a couple of zone files will be fetched from ipdeny.com and imported into the file blocked_zones.
#!/bin/sh # # Diclaimer: # This is an example - no liablity _at all_ for any actual usage! # cd ~/tmp # or any other... # -4 = use IPv4 only # --no-proxy = don't care for proxies # --no-cookies = don't accept cookies # --no-cache = no cached files wget -4 --no-proxy --no-cookies --no-cache \ http://ipdeny.com/ipblocks/data/countries/cn.zone # CHINA wget -4 --no-proxy --no-cookies --no-cache \ http://ipdeny.com/ipblocks/data/countries/az.zone # AZERBAIJAN wget -4 --no-proxy --no-cookies --no-cache \ http://ipdeny.com/ipblocks/data/countries/by.zone # BELARUS wget -4 --no-proxy --no-cookies --no-cache \ http://ipdeny.com/ipblocks/data/countries/kz.zone # KAZAKHSTAN wget -4 --no-proxy --no-cookies --no-cache \ http://ipdeny.com/ipblocks/data/countries/kg.zone # KYRGYZSTAN wget -4 --no-proxy --no-cookies --no-cache \ http://ipdeny.com/ipblocks/data/countries/ru.zone # RUSSIAN FEDERATION wget -4 --no-proxy --no-cookies --no-cache \ http://ipdeny.com/ipblocks/data/countries/tj.zone # TAJIKISTAN wget -4 --no-proxy --no-cookies --no-cache \ http://ipdeny.com/ipblocks/data/countries/tm.zone # TURKMENISTAN wget -4 --no-proxy --no-cookies --no-cache \ http://ipdeny.com/ipblocks/data/countries/uz.zone # UZBEKISTAN wget -4 --no-proxy --no-cookies --no-cache \ http://ipdeny.com/ipblocks/data/countries/vn.zone # VIET NAM # cat cn.zone > blocked_zones cat az.zone >> blocked_zones cat by.zone >> blocked_zones cat kz.zone >> blocked_zones cat kg.zone >> blocked_zones cat ru.zone >> blocked_zones cat tj.zone >> blocked_zones cat tm.zone >> blocked_zones cat uz.zone >> blocked_zones cat vn.zone >> blocked_zones # rm *.zone # sudo mv blocked_zones /etc/pf-files/ sudo pfctl -f /etc/pf.conf # cd #
Some notes:
1. I know that this script might easily be written in a more elegant manner. It is simply to explain what is happening. Of course if you want to add 50+ more countries ... feel free to do it your way.
2. It is up to you to judge if ipdeny.com's collection is trustworthy - I refuse any liability. I have no means to check the completeness or correctness. Their site is merely provided as a 'how-to' example.
3. If e.g. you block Russian IPs (as in the given example) and some Win-PC/laptop behind the OpenBSD-firewall is secured additionally by a popular Russian based anti-virus program make sure you still get updates of the virus definitions. Basically the same applies if some of your systems need firmware that is provided on a server from one of the countries on your list. Test it!
4. Tell those relying on your administration of PF what you intend to do - they might need a particular address you would be blocking otherwise.
5. Again: This script is an example - you ought to know yourself what you are doing and what is legally prohibited in your country of residence.
Finally I'd like to say THANK YOU to the OpenBSD-devs for giving us this fine OS and PF; and this time in particular to Peter Hansteen for his excellent online tutorial of PF accompanying the PF-FAQ (and the man-pages, of course). Did you know that the 3. Edition his 'The Book of PF' will appear soon - get it!
(Comments are closed)
By Anonymous Coward (37.187.2.129) on
#!/bin/sh
PFDIR=/etc/pf-files
ZONEFILE=blocked_zones
mkdir -p ${PFDIR}
> ${PFDIR}/${ZONEFILE}
for ZONE in cn az by kz kg ru tj tm uz vn
do
ftp -o - http://ipdeny.com/ipblocks/data/countries/${ZONE}.zone >> ${PFDIR}/${ZONEFILE}
sleep 1 #respect ipdeny policies
done
pfctl -f /etc/pf.conf
Comments
By Pedro Caetano (89.115.30.144) pedrocaetano@binaryflows.com on
>
> #!/bin/sh
>
> PFDIR=/etc/pf-files
> ZONEFILE=blocked_zones
>
> mkdir -p ${PFDIR}
> > ${PFDIR}/${ZONEFILE}
>
> for ZONE in cn az by kz kg ru tj tm uz vn
> do
> ftp -o - http://ipdeny.com/ipblocks/data/countries/${ZONE}.zone >> ${PFDIR}/${ZONEFILE}
> sleep 1 #respect ipdeny policies
> done
>
> pfctl -f /etc/pf.conf
>
Hi,
Instead of reloading the ruleset each time crontab executes this script, it should better running the following:
pfctl -t blocked_zones -T replace `cat ${PFDIR}/${ZONEFILE}`
By Blake (78.192.104.249) on
By Anonymous Coward (79.129.79.91) on
block in quick proto tcp from <blocked_zones>10:05 22.05.2014 to any port { 22 80 }
Comments
By Stefan Wollny (212.34.73.4) on
> block in quick proto tcp from <blocked_zones>10:05 22.05.2014 to any port { 22 80 }
Quite obviouly you are right - that sneaked in.
By sthen (85.158.44.149) on
For example: their blocks shown as being in Germany show up on geolite as including addresses in Afghanistan, Austria, Belgium, Brazil, Belize, Switzerland, Estonia, Europe, France, United Kingdom, Hungary, Ireland, Iraq, Italy, Luxembourg, Netherlands, Poland, Romania, Russian Federation, Singapore, Slovenia, Turkey, Ukraine, United States...
By jdv (216.16.224.222) jdv@clevermonkey.org on http://clvrmnky.org/
There may be some C&C nodes operating out of Russia or China or Estonia, but the work is being done by zombies, and the last time I looked most of those zombies were in the US.
This is aside from the tricky aspects of GeoIP, which is dodgy at best.
Comments
By Anonymous Coward (78.192.104.249) on
By Anonymous Coward (2a02:180:1:1::517:aaf) on
Would you be able to block Norway on your firewall, please?
Comments
By phessler (phessler) on why in god's name am I wearing pants?
> Would you be able to block Norway on your firewall, please?
>
>
No. We will not block any countries from posting to Undeadly.
By Charles C. Hocker (charles05663) charles@drbs.com on
Comments
By phessler (phessler) on why in god's name am I wearing pants?
https://neocities.org/blog/the-fcc-is-now-rate-limited
By Anonymous Coward (50.137.208.84) on
table <blockedzones> persist file "/etc/pf-files/blocked_zones"
block quick from <blockedzones> to any
By Anonymous Coward (95.215.0.158) arkhipax@gmail.com on
(excuse me for my English)