# Good ipfw ruleset to block an entire country?



## Argentum (Feb 24, 2022)

Is here anybody who can help with that?


----------



## shkhln (Feb 24, 2022)

There is some kind of a filter that https://www.homedepot.com/ is using (and many other sites as well). Might try that.


----------



## eternal_noob (Feb 24, 2022)

My magic crystal ball says that this thread gets locked immediately.


----------



## Argentum (Feb 24, 2022)

eternal_noob said:


> My magic crystal ball says that this thread gets locked immediately.


Hope not. Just a good `ipfw` ruleset is needed...


----------



## shkhln (Feb 24, 2022)

eternal_noob said:


> My magic crystal ball says that this thread gets locked immediately.


Who cares? Russians, for the most part, don't know and don't read anything in English.


----------



## Argentum (Feb 24, 2022)

shkhln said:


> Who cares? Russians, for the most part, don't know and read anything in English.


But they can attack...

So, to protect your assets rules like `ipfw add deny ip from 178.64.0.0/16 to any` or similar might be a good value...


----------



## SirDice (Feb 24, 2022)

I'm not aware of a plugin or something similar for IPFW that uses GeoIP. But you might be able to generate a list of netblocks by querying the GeoIP database and use that list as a basis for your firewall rules.


----------



## spot (Feb 24, 2022)

Argentum said:


> But they can attack...
> 
> So, to protect your assets rules like `ipfw add deny ip from 178.64.0.0/16 to any` or similar might be a good value...




```
# -------------------------------------------------------
# Free IP2Location Firewall List by Country
# Source: https://www.ip2location.com/free/visitor-blocker
# Last Generated: 24 Feb 2022 19:41:40 GMT
# [Important] Please update this list every month
# -------------------------------------------------------
```

One click, one country, you can edit the iptables format to ipfw easily enough. Just don't mention VPN to the people you're worried by.


----------



## obsigna (Feb 24, 2022)

Last week, I wrote a BLog post about this, utilizing ipfw(8) together with my sysutils/ipdbtools (note, on GitHub, I am cyclaero).

https://obsigna.com/articles/1645129152.html

Citizens who use VPN for circumventing the block, are welcome, because they show to some extend that they do not abide to everything of their regime.


----------



## SirDice (Feb 24, 2022)

Right. Had to delete a post that would take the thread in a political direction. Can we please keep the politics out of it? Yes, I'm sure your cause is just as righteous, but that discussion has no place here.


----------



## D-FENS (Feb 24, 2022)

SirDice said:


> Right. Had to delete a post that would take the thread in a political direction. Can we please keep the politics out of it? Yes, I'm sure your cause is just as righteous, but that discussion has no place here.


The OP could probably rephrase their question to "How to block an entire country based on IP?"
The current form of the title is politically charged at this point in time and I think it simply sets people off.


----------



## SirDice (Feb 24, 2022)

D-FENS said:


> The OP could probably rephrase their question to "How to block an entire country based on IP?"


Agree. Already changed the title to a less charged one.


----------



## hbsd (Feb 24, 2022)

Argentum May I ask why you wanna do that?


shkhln said:


> Who cares? Russians, for the most part, don't know and don't read anything in English.


Sorry but that's not true.


----------



## shkhln (Feb 25, 2022)

hbsd said:


> Argentum May I ask why you wanna do that?


https://en.wikipedia.org/wiki/2022_Russian_invasion_of_Ukraine#Invasion



hbsd said:


> Sorry but that's not true.


Ну да, конечно.


----------



## msplsh (Feb 25, 2022)

Change xx for the ISO3166-1 alpha-2 code.  en0 to your adapter.  Load the output into a file to include

```
#!/usr/bin/perl

use Data::Dumper;

use warnings;

my $xx_netblocks = "pf.xx.blackhole.conf";

my @netblocks = split(/\r\n|\n|\r/,`curl http://www.ipdeny.com/ipblocks/data/countries/xx.zone`);

open (my $BADNETBLOCKS, ">", $xx_netblocks) or die "Unable to open file $xx_netblocks: $!";
truncate $BADNETBLOCKS,0;

print $BADNETBLOCKS "table <blackhole_xx> const { ";

foreach my $current_block (@ netblocks) {
    if ( $current_block =~ /^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\/[0-9]+$/ ) {
    #    print $BADNETBLOCKS "block on en0 from ".$current_block." to any\n";
    print $BADNETBLOCKS $current_block." ";
    }
}

print $BADNETBLOCKS "}\n";
print $BADNETBLOCKS "block drop on en0 inet from <blackhole_xx> to any\n";

close($BADNETBLOCKS);
```

Sorry it's pf.  Should be easy to modify.


----------



## hbsd (Feb 25, 2022)

shkhln said:


> https://en.wikipedia.org/wiki/2022_Russian_invasion_of_Ukraine#Invasion
> 
> 
> Ну да, конечно.


What I want to say is that people have nothing to do with politics. Russian politicians are stupid and the people are not guilty. The Russian people are good as the rest of people the world.
I also live in a country where the politicians are very bad people and it has made other people in the world think that we are bad people. we have no freedom even on the Internet! Most sites are filtered and without vpn you have practically have no Internet! even Internet speed is slow. I'm tired of living here, but it wasn't my fault I was born here!


----------



## im (Feb 25, 2022)

I have written the script for ipfw.

1. Download the file with the list of required networks to the some directory.
I use /root/bin/ directory for example
`fetch "http://www.ipdeny.com/ipblocks/data/countries/ru.zone"`

2. Use the template as a standalone script, or include it into your rc.firewall script.

```
#!/bin/sh

ipfw='/sbin/ipfw -q'

${ipfw} table 6 flush
for ip in `cat /root/bin/ru.zone`; do
${ipfw} table 6 add $ip
done

${ipfw} add 6 count all from table\(6\) to me
${ipfw} add 6 count all from me to table\(6\)
```

3. Check the amount of hit's for the rules.
`ipfw -at list 6`

4. Enable and check ipfw logs for that rule

5. In case of correct results - replace 'count' to 'deny' within the rules.
Tune it by yourself if you want to use it.


----------



## Argentum (Feb 25, 2022)

hbsd said:


> What I want to say is that people have nothing to do with politics. Russian politicians are stupid and the people are not guilty. The Russian people are good as the rest of people the world.
> I also live in a country where the politicians are very bad people and it has made other people in the world think that we are bad people. we have no freedom even on the Internet! Most sites are filtered and without vpn you have practically have no Internet! even Internet speed is slow. I'm tired of living here, but it wasn't my fault I was born here!


I did not want to turn it political. Purely technically defensive. Politics is done in parties, polling stations and parliaments,* not on the battlefield*. Cyber attacks from a certain country are highly probable against systems in a Free World. I was just asking about *technical defensive measures*, keeping no politics in mind.


----------



## eternal_noob (Feb 25, 2022)

Argentum said:


> Cyber attacks from a certain country are highly probable against against systems in a Free World.


It's not only a certain country, but all countries. Every fricking country in the world has an intelligence service ready to sniff at your private parts.

And i am sure that hacking attacks don't origin from the original country but use machines in a completely different country.

Locking out Russia only targets the normal russian people and it doesn't help to protect from hacking attacks.


----------



## shkhln (Feb 25, 2022)

If something is important, it should be airgapped. And, anyway, as you might have noticed by now, some people have a preference for missiles.


----------



## hbsd (Feb 25, 2022)

Argentum said:


> Cyber attacks from a certain country are highly probable against systems in a Free World.


And blocking the Internet is completely against the Internet freedom and free world.


----------



## msplsh (Feb 25, 2022)

Somebody who works at Pornhub asked this question, didn't they?


----------



## mark_j (Feb 25, 2022)

I understand the origjnal question pointed to Russia, but, politics withstanding, that's probably not a wide enough net to cast.
While not giving away state secrets, my place of work blocks many vpns, china, hong kong, russia and to the point of this reply, all of the CIS (in name only).
The CIS member states have a history (some more than others) of launching network attacks, probably on the behest of their master. Just saying.


----------



## scottro (Feb 27, 2022)

There are probably hundreds of websites where the political aspect can be discussed. Let's try to limit ourselves to the technical issue of blocking a country. There are several countries that try to bruteforce attack servers, so it's a legitimate question. Even if one can't block the whole country, they might be able to elimimate a few thousand attempts a day.


----------



## obsigna (Feb 27, 2022)

Here comes a totally unpolitical use case for excluding countries from access to some services of our servers.

The users of our IPSec and mail services reside in 4 countries and send their mails on the submission ports 465 or 587 and get their mails via POP3 or IMAP on ports 995 or 993. I utilize sysutils/ipdbtools for generating a table which can directly be fed into ipfw(8):

```
/sbin/ipfw -q flush
/sbin/ipfw -q table all destroy
...
/sbin/ipfw -q table 0 create
/usr/local/bin/ipup -t BR:DE:CH:FR -n 0 -4 | /sbin/ipfw -q /dev/stdin
/sbin/ipfw -q add 90 deny tcp from not table\(0\) to any 465,587,993,995 in recv $WAN setup
/sbin/ipfw -q add 90 deny udp from not table\(0\) to any 500,4500 in recv $WAN
...
```

This measure reduces the attack surface quite a bit.


----------



## obsigna (Feb 27, 2022)

yearzero2 said:


> That is definitely politics, and exactly what a politician would say. They probably did say that and you are repeating it.


Your avatar shows Pol Pot, the mass murder of the Killing fields. One of the most disgusting totalitarian leaders of the 20th century. This clearly shows, that you are trolling.








						Deposed Pol Pot gives interview in the jungle: from the archive, 11 December 1979
					

Originally published in the Guardian on 11 December 1979: Ousted leader admits that his regime made mistakes but maintains that only several thousand Cambodians died




					www.theguardian.com


----------



## fernandel (Feb 27, 2022)

SirDice said:


> Right. Had to delete a post that would take the thread in a political direction. Can we please keep the politics out of it? Yes, I'm sure your cause is just as righteous, but that discussion has no place here.


All posts here are political.


----------



## eternal_noob (Feb 27, 2022)

Political, discriminating and useless. This is one of the worst threads i've read.


----------



## shkhln (Feb 27, 2022)

fernandel said:


> All posts here are political.


Mine are just generally bitchy.


----------



## mark_j (Feb 27, 2022)

fernandel said:


> All posts here are political.


phooey.


----------



## grahamperrin@ (Feb 28, 2022)

If it's felt necessary to report a _member_ (not a post) – for _profile_ content – I respectfully suggest using the *Report* feature:






Public discussion of the politics of any person's profile can be counter-productive; it's not technical.

Thanks


----------



## SirDice (Feb 28, 2022)

Some good solutions have been offered. I've also seen some good arguments as to why it might be a bad idea. 

With that I'm going to close this thread.


----------

