Good ipfw ruleset to block an entire country?

Status
Not open for further replies.
shkhln said:
Who cares? Russians, for the most part, don't know and read anything in English.
Click to expand...
But they can attack...

So, to protect your assets rules like ipfw add deny ip from 178.64.0.0/16 to any or similar might be a good value...
 
I'm not aware of a plugin or something similar for IPFW that uses GeoIP. But you might be able to generate a list of netblocks by querying the GeoIP database and use that list as a basis for your firewall rules.
 
Argentum said:
But they can attack...

So, to protect your assets rules like ipfw add deny ip from 178.64.0.0/16 to any or similar might be a good value...
Click to expand...
Code: 
# -------------------------------------------------------
# Free IP2Location Firewall List by Country
# Source: https://www.ip2location.com/free/visitor-blocker
# Last Generated: 24 Feb 2022 19:41:40 GMT
# [Important] Please update this list every month
# -------------------------------------------------------

One click, one country, you can edit the iptables format to ipfw easily enough. Just don't mention VPN to the people you're worried by.
 
Right. Had to delete a post that would take the thread in a political direction. Can we please keep the politics out of it? Yes, I'm sure your cause is just as righteous, but that discussion has no place here.
 
SirDice said:
Right. Had to delete a post that would take the thread in a political direction. Can we please keep the politics out of it? Yes, I'm sure your cause is just as righteous, but that discussion has no place here.
Click to expand...
The OP could probably rephrase their question to "How to block an entire country based on IP?"
The current form of the title is politically charged at this point in time and I think it simply sets people off.
 
Change xx for the ISO3166-1 alpha-2 code. en0 to your adapter. Load the output into a file to include
Perl: 
#!/usr/bin/perl

use Data::Dumper;

use warnings;

my $xx_netblocks = "pf.xx.blackhole.conf";

my @netblocks = split(/\r\n|\n|\r/,`curl http://www.ipdeny.com/ipblocks/data/countries/xx.zone`);

open (my $BADNETBLOCKS, ">", $xx_netblocks) or die "Unable to open file $xx_netblocks: $!";
truncate $BADNETBLOCKS,0;

print $BADNETBLOCKS "table <blackhole_xx> const { ";

foreach my $current_block (@ netblocks) {
    if ( $current_block =~ /^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\/[0-9]+$/ ) {
    #    print $BADNETBLOCKS "block on en0 from ".$current_block." to any\n";
    print $BADNETBLOCKS $current_block." ";
    }
}

print $BADNETBLOCKS "}\n";
print $BADNETBLOCKS "block drop on en0 inet from <blackhole_xx> to any\n";

close($BADNETBLOCKS);

Sorry it's pf. Should be easy to modify.
 
Last edited:
shkhln said:
https://en.wikipedia.org/wiki/2022_Russian_invasion_of_Ukraine#Invasion


Ну да, конечно.
Click to expand...
What I want to say is that people have nothing to do with politics. Russian politicians are stupid and the people are not guilty. The Russian people are good as the rest of people the world.
I also live in a country where the politicians are very bad people and it has made other people in the world think that we are bad people. we have no freedom even on the Internet! Most sites are filtered and without vpn you have practically have no Internet! even Internet speed is slow. I'm tired of living here, but it wasn't my fault I was born here!
 
I have written the script for ipfw.

1. Download the file with the list of required networks to the some directory.
I use /root/bin/ directory for example
fetch "http://www.ipdeny.com/ipblocks/data/countries/ru.zone"

2. Use the template as a standalone script, or include it into your rc.firewall script.
Code: 
#!/bin/sh

ipfw='/sbin/ipfw -q'

${ipfw} table 6 flush
for ip in `cat /root/bin/ru.zone`; do
${ipfw} table 6 add $ip
done

${ipfw} add 6 count all from table\(6\) to me
${ipfw} add 6 count all from me to table\(6\)

3. Check the amount of hit's for the rules.
ipfw -at list 6

4. Enable and check ipfw logs for that rule

5. In case of correct results - replace 'count' to 'deny' within the rules.
Tune it by yourself if you want to use it.
 
hbsd said:
What I want to say is that people have nothing to do with politics. Russian politicians are stupid and the people are not guilty. The Russian people are good as the rest of people the world.
I also live in a country where the politicians are very bad people and it has made other people in the world think that we are bad people. we have no freedom even on the Internet! Most sites are filtered and without vpn you have practically have no Internet! even Internet speed is slow. I'm tired of living here, but it wasn't my fault I was born here!
Click to expand...
I did not want to turn it political. Purely technically defensive. Politics is done in parties, polling stations and parliaments, not on the battlefield. Cyber attacks from a certain country are highly probable against systems in a Free World. I was just asking about technical defensive measures, keeping no politics in mind.
 
Argentum said:
Cyber attacks from a certain country are highly probable against against systems in a Free World.
Click to expand...
It's not only a certain country, but all countries. Every fricking country in the world has an intelligence service ready to sniff at your private parts.

And i am sure that hacking attacks don't origin from the original country but use machines in a completely different country.

Locking out Russia only targets the normal russian people and it doesn't help to protect from hacking attacks.
 
If something is important, it should be airgapped. And, anyway, as you might have noticed by now, some people have a preference for missiles.
 
I understand the origjnal question pointed to Russia, but, politics withstanding, that's probably not a wide enough net to cast.
While not giving away state secrets, my place of work blocks many vpns, china, hong kong, russia and to the point of this reply, all of the CIS (in name only).
The CIS member states have a history (some more than others) of launching network attacks, probably on the behest of their master. Just saying.
 
There are probably hundreds of websites where the political aspect can be discussed. Let's try to limit ourselves to the technical issue of blocking a country. There are several countries that try to bruteforce attack servers, so it's a legitimate question. Even if one can't block the whole country, they might be able to elimimate a few thousand attempts a day.
 
Here comes a totally unpolitical use case for excluding countries from access to some services of our servers.

The users of our IPSec and mail services reside in 4 countries and send their mails on the submission ports 465 or 587 and get their mails via POP3 or IMAP on ports 995 or 993. I utilize sysutils/ipdbtools for generating a table which can directly be fed into ipfw(8):
Code: 
/sbin/ipfw -q flush
/sbin/ipfw -q table all destroy
...
/sbin/ipfw -q table 0 create
/usr/local/bin/ipup -t BR:DE:CH:FR -n 0 -4 | /sbin/ipfw -q /dev/stdin
/sbin/ipfw -q add 90 deny tcp from not table\(0\) to any 465,587,993,995 in recv $WAN setup
/sbin/ipfw -q add 90 deny udp from not table\(0\) to any 500,4500 in recv $WAN
...

This measure reduces the attack surface quite a bit.
 
Status
Not open for further replies.
Back
Top