This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Country Blocking - What do the settings really mean?

So I've been doing a lot of reading and searching however I cannot make sense out of some of the Country Blocking settings. Searching this forum area showed six pages of country blocking (searched on country) and nothing referenced what FROM and TO actually do. Google wasn't helpful either.

I'm running UTM Software version 9.313-3.

Under Country blocking there are four settings, OFF, ALL, FROM, and TO.

I understand OFF and ALL and they work as I would expect...

OFF: Country blocking is not on.
ALL: Country blocking is fully on.

The confusion comes with the other two settings, FROM and TO.

The user manual states:
FROM: Traffic coming from this location is blocked.
TO: Traffic going to this location is blocked.

So I set up a block to Germany (where this forum is located) and selected FROM and I would have expected to have all responses blocked, but they are not. So now "I think" that FROM means something that wasn't requested by my web browser in this situation.

Could someone please explain exactly what FROM and TO actually do?

Note: I also setup blocks to the Great Britain and even to my neck of the woods, USA, still confused.

This thread was automatically locked due to age.

Parents

0 Scott_Klassen over 10 years ago

I read about the firewall rules conflict with the country blocks
Not certain where you get this idea from. There's no conflict. Country Blocking has precedence over any manually created firewall rules. If something is blocked by CB, then manually created firewall rules are never evaluated, ergo no conflict. [:)]
Cancel
Vote Up 0 Vote Down

Cancel
0 Coder68 over 10 years ago in reply to Scott_Klassen
Not certain where you get this idea from.  There's no conflict.  Country Blocking has precedence over any manually created firewall rules.  If something is blocked by CB, then manually created firewall rules are never evaluated, ergo no conflict.  [:)]

Scott,

True, at least until the proxy and proxy skip list is used. This forces anything listed in the skip list through the firewall rules, bypassing Geo blocking. This is my workaround for the broken country exceptions.  See my second image in my previous post in this thread.

itdv70,

Please post some firewall logs. I know the country blocking works, as I block every single country in the world, except for the US. [:D] I tested it extensively. For GeoIP lookups, try maxmind. https://www.maxmind.com/en/geoip-demo

A basic diagram of your setup would be helpful too.
[LIST=1]
Do you have a DMZ server with SSH exposed?
If not, what server has this SSHd running?
Do you have the country blocks set to from, to, all, or off for China, Russia, and Brazil?
[/LIST]

C68
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Coder68 over 10 years ago in reply to Scott_Klassen
Not certain where you get this idea from.  There's no conflict.  Country Blocking has precedence over any manually created firewall rules.  If something is blocked by CB, then manually created firewall rules are never evaluated, ergo no conflict.  [:)]

Scott,

True, at least until the proxy and proxy skip list is used. This forces anything listed in the skip list through the firewall rules, bypassing Geo blocking. This is my workaround for the broken country exceptions.  See my second image in my previous post in this thread.

itdv70,

Please post some firewall logs. I know the country blocking works, as I block every single country in the world, except for the US. [:D] I tested it extensively. For GeoIP lookups, try maxmind. https://www.maxmind.com/en/geoip-demo

A basic diagram of your setup would be helpful too.
[LIST=1]
Do you have a DMZ server with SSH exposed?
If not, what server has this SSHd running?
Do you have the country blocks set to from, to, all, or off for China, Russia, and Brazil?
[/LIST]

C68
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data