How would I set up a "reject" rule block traffic from all countries except the US

What is he trying to achieve? I have a LAN - WAN rule which I block outgoing traffic to many countries and works fine.

I have discovered that places like Microsoft / AWS etc tend to bounce into China with some services and a few exceptions needed to be added to allow some hostnames / IP's past the Firewall rule.

To clarify ... I implemented several business rules which DNAT'd LAN hosts making them accessible from the WAN. My initial setup was obviously inadequate because I noticed a lot of hits from foreign countries - notably China, Russia and Brazil. To address this, I restricted a couple of them by specifying known hosts as appropriate for "Allowed/Client Networks". Servers for which I do not have specific originating host addresses, I specified "United States" as the "Allowed/Client Networks".

To cover myself in the event I inadvertently add another wide open business rule in the future, I constructed a rule which I placed toward the front of the list that had "reject" as the action for any connections originating from from the most nefarious foreign countries and this works for me. If in monitoring the traffic I notice unwanted connections from other countries, I intend to simply add countries to the list to be rejected.

However, it occurred to me that it would be useful to have be able to say something to the effect of "not United States" for identifying source networks to be rejected - effectively a "NOT" operator option on the source network. This way I would never have to modify the reject rule going forward.

Just tell me I'm overly paranoid and I'll forget I even had the thought. Thanks.

To clarify ... I implemented several business rules which DNAT'd LAN hosts making them accessible from the WAN. My initial setup was obviously inadequate because I noticed a lot of hits from foreign countries - notably China, Russia and Brazil. To address this, I restricted a couple of them by specifying known hosts as appropriate for "Allowed/Client Networks". Servers for which I do not have specific originating host addresses, I specified "United States" as the "Allowed/Client Networks".

To cover myself in the event I inadvertently add another wide open business rule in the future, I constructed a rule which I placed toward the front of the list that had "reject" as the action for any connections originating from from the most nefarious foreign countries and this works for me. If in monitoring the traffic I notice unwanted connections from other countries, I intend to simply add countries to the list to be rejected.

However, it occurred to me that it would be useful to have be able to say something to the effect of "not United States" for identifying source networks to be rejected - effectively a "NOT" operator option on the source network. This way I would never have to modify the reject rule going forward.

Just tell me I'm overly paranoid and I'll forget I even had the thought. Thanks.

Hi,

you can use the country blocking feature, but as previously warned a number companies have update sources in other countries. Also some Russian sites are hosted on US based service er networks.

Ian