Firewall that blocks connections by country?

Hello, ladies and gentlemen,
first of all, let me confess that I am not a software specialist, so please treat me gently

I have a question to everyone. Have you ever come across a personal firewall (application-layer, of course) that can block connections based on the geographic location of the remote IP network? There are a few free online services that can tell you location by IP with precision up to city level, or in the worst case, up to a country, with fair reliability. This precision is enough for my purpose, as I want to block connections to any networks physically located in certain countries.

Even if there is no such a firewall readily available, maybe there is a firewall that can utilize custom user's scripts as extra firewall rules? Say, a firewall calls a function that accepts IP address and returns true or false, and then it makes a decision to block or allow the connection. This would also satisfy me, because i can write such a function myself, which is going to rely on those free geo-locator services.

Any feedback is greatly appreciated!

Hello and welcome
Having the firewall to trace through the network each source/destination IP address in real time and then wait for the results to decide what to do with each packet, would be inefficient and slow, if possible at all! Perhaps situation would be better with some efficient caching, but nontheless, I don't know of any such ready solution.

Still, good thing is there are fixed lists with the subnets allocated to providers based in each country. These lists can never be completelly accurate and they become even less the older they get, but probably more than 90% of them will always be valid. Using them, you could configure mostly any flexible firewall (like IPTables , PF or IPFW / wipfw ). Of course depending on what you have in mind, this might be too much work.

Example of such a list:
here

Say, a firewall calls a function that accepts IP address and returns true or false

In the case of those 3 firewalls I mentioned, you can use tables for that reason (a table can contain many ranges or subnets of IP addresses). Tables can be modified in real time using a CLI utility that comes along in each case, so possibly this could be implemented the way you want under unix-like operating systems (if you mention exactly what you want to do I might be able to provide more information on that direction).

PS. Sorry I just noticed you spoke of Application Layer control, which of course changes things. What traffic is it that you want to control?

Please don't kick my ass but I am talking about a personal appl layer firewall for a home *Windows* machine/notebook. The primary purpose is to limit access to one of my network applications (which can accept incoming connections) only to users in particular regions, so-to-say. or to ban particular regions from access.

In that case, you probably see that caching of internet-retrieved results would indeed be very efficient: I don't have that many new clients trying to connect to me. Even if the first request of IP Location can exceed TCP timeout, the other party will try to connect again, and this time my firewall will already have the necessary datum to make a decision. I don't care - they can wait

Aahh.. my young Jedi... one of the first mistakes of firewall design... and for that matter software design..

In firewall design, you should work on the assumption that that which is not expressly allowed is denied (a default deny policy)

In software design when validating input, you don't make a list of bad inputs, you make a 'white list' of good input, and deny everything else.

Instead of trying to block users from specific geographical regions (a mammoth task IMHO especially considering that networking does not necessarily map to geographical borders, consider proxies etc). Why not just have a firewall that ALLOWS access to your target user group (I'm sure you'll have network addresses for these), and then disallow all else ?

Doesn't that sound like a better idea ?

heh I was just a little confused about what you wanted to do. I should have gotten the clue since you said "personal", "windows" rang the bell louder! So, here's your scenario -correct me if I am wrong-: You have a windows machine with a permanent connection to the internet and you have some service listening there, but you want to block incoming connections directed to it, depending on the country of origin, right?

Just to clear this up, an application layer firewall is basically a firewall that is able to distinguish traffic of speciffic protocols that function in the application layer (a layer higher than the network and transport layers where TCP/IP works), like HTTP, and so it can filter that traffic according to information contained at the headers of these protocols -information that are just data with no sense for the TCP/IP. If you just want to block connections based on IP addresses and TCP/UDP ports, then you just need a firewall that works at the network and transport layer -like most firewalls.

Since I assume that you don't need something more than that, things do not change much, appart from the fact that you look for a firewall for Windows! I don't think a firewall that works as you suggested exists, perhaps some windows geek here knows of a software that attempts to do just that. Still, I think it would be better if you made a static list of all the subnets you want to block (or allow), based on a list like the one mentioned, and just do it using firewall rules. All the firewalls should allow you that, the only problem is how you can simplify it, so that you won't have to write seperatelly one rule for each subnet you want to block, insert the addresses in a Table (Access List) and give only one rule for that Access List. I don't know about windows software -again perhaps someone can recommend a windows firewall that supports that-, but I believe the windows version of IPFW ( wipfw.sourceforge.net ) would do just fine! ;)

I just saw Sahir's post - as usually I had opened the post window for a good while before I replied, so I only saw it afterwards -. I just want to back his suggestion: Default deny policy is always better! If you make a mistake, something will not work and you will have to fix it, but with a default allow policy if you make a mistake you will probably never find out!