Does country blocking work for 'from' only?

I never look at the iptables, but Country Blocking works.   There was a bug in the classification process which was addressed in 9.510.   The earlier versions could produce missing or inconsistent country assignments.  According to the 9.510 release notes, the problem only affected web filtering and only when AD SSO was the authentication method.

Okay, thanks.  I find that mystifying though.  There must be something else going on behind the scenes for from to work, then.  Thanks!

I believe that country blocking happens before iptables, if I remember the flow diagram correctly, it all happens in the "connection tracker" module.

I believe that country blocking happens before iptables, if I remember the flow diagram correctly, it all happens in the "connection tracker" module.

I'm just surprised that 'to' or 'all' DO generate iptables rules.  Well, I'm deploying this in a day or two, so I can test it out.  My email server gets scanned a *lot* from Russia in particular, so awhile back I had added geoip blocking to it, and can see the iptables hits increment in real time :)  So, the plan would be to set RU to 'from', and then watch the iptables stats on the mailserver.  If they keep going up, there's a bug in UTM, and I can open a support case.

I guess I can close this then.  Been running with 'from' on the various countries/regions, and iptables in the mailserver confirms no changes in hits.  Thanks for the info!

Argo, I don't think it's done in conntrack.  It does happen right after that and before everything else.  See #2 in Rulz.

Cheers - Bob

Hi Bob,

you may be right, although I thought i remember speaking to one of the techs at Sophos and they said it was, but this was along time ago when I was still new to the Sophos.