# How to block country ip's



## tony33 (Jun 4, 2017)

Hi, I need to find a bash script or something to add IPFW rules and block massive ip addresses from countries.

I looked at ipdeny but their generator is not working.  I need some way to easily download the files from ipdeny and then have IPFW load these ip's in. 

How would I do this?


----------



## obsigna (Jun 4, 2017)

Perhaps you are looking for sysutils/ipdbtools.

From the Firewall Examples in ipdbtools(1):


> # Deny web access from certain countries we don't like this week:
> /usr/local/bin/ipup -t TR:SA:RU -n 66 | /sbin/ipfw -q /dev/stdin
> /sbin/ipfw -q add 70 allow tcp from not table\(66\) to any 80,443 in recv em0 setup


----------



## rigoletto@ (Jun 5, 2017)

Hello,

I do not use IPFW but PF, however I use the cron job bellow to update the geoblock file (I created) what PF is configurated look into to block addresses. You may want to do something similar on IPFW.


```
@monthly curl -s http://www.ipdeny.com/ipblocks/data/countries/{cn,us,tr,ru,tw,ro,in,it,hu}.zone > \
[FILE]/usr/local/etc/blocked/geoblock[/FILE]
```


----------



## asteriskRoss (Jun 5, 2017)

Have a look at Thread 56874 and the tool it mentions by obsigna.  I've been meaning to look at it myself.


----------



## obsigna (Jun 5, 2017)

asteriskRoss said:


> Have a look at Thread 56874 and the tool it mentions by obsigna.  I've been meaning to look at it myself.


I just want to add, that this set of tools made it into the ports since, see sysutils/ipdbtools. Some more recent changes on GitHub addressed ARM compatibility. If this is meant to run on x86 only, the version in the ports would be perfect.


----------



## tony33 (Jun 5, 2017)

I  don't want to divert ports. I have already have rules set in IPFW and just want to make things simple. Just want to block all ip's from certain countries from coming in and out.  Maybe making a ip table and deny it and running a script to add ip blocks to this table would be the solution. I don't know but want a solution to block certain countries from connecting. I think that tool is complicated to use and I don't want to divert ports. The reason is I already have rules set for most of the ports. Isn't diverting it going to bypass my firewall?


----------



## gariac (Jun 6, 2017)

My solution isn't slick, but you are welcome to it. I go to this page:
https://www.ip2location.com/blockvisitorsbycountry.aspx
I get the CIDRs for each country from the menu and download them. I then create a simple shell script to feed them to a table for ipfw. In this case, I am using a table numbered "3". The format of the file follows:

```
ipfw -q table 3 add 5.62.60.4/30
ipfw -q table 3 add 5.62.62.4/30
ipfw -q table 3 add 37.255.187.0/27
```
Inside /etc/rc.firewall, I added these lines:

```
#block email
${fwcmd} add  568 deny log all  from 'table(3)' to any dst-port  110
${fwcmd} add  569 deny log all  from 'table(3)' to any dst-port 143
${fwcmd} add  570 deny log all  from 'table(3)' to any dst-port  465
${fwcmd} add  571 deny log all  from 'table(3)' to any dst-port 587
${fwcmd} add  572 deny log all  from 'table(3)' to any dst-port  993
${fwcmd} add  573 deny log all  from 'table(3)' to any dst-port  995
```
In this particular case, I am blocking all email ports other than 25 from countries where I don't reside or visit.

Where to place the "deny" lines is tricky. I suggest researching a program like sshguard and put the "deny" in a similar location as they suggest for that service.

When possible, I like solutions not to depend on external databases, at least in real time. This is a self-contained solution, though the database changes quarterly and like all databases, will have a bug or two. For instance, the Chaos Computer Club was trying to hack my email from all things, their own traceable IP space! So I maintain an additional file of additions.


----------

