- Posts: 7
- Thank you received: 0
Firewall that blocks connections by country?
19 years 7 months ago #8142
by housefrau
Replied by housefrau on topic Re: Firewall that blocks connections by country?
Default deny vs. default allow is a very tough quesiton in my case. See, I actually want to BLOCK conenctions coming from one or two specific countries and ALLOW it to EVERYONE else. BUT! I don't know what to do with those whose location is UNCERTAIN! DEfault deny? I would block too much users without ground. Default allow? Then what's the point of this firewall at all, if you let too many those "banned" users to slip through it?
19 years 7 months ago #8143
by housefrau
Replied by housefrau on topic Re: Firewall that blocks connections by country?
Okay, I guess you convinced me to use the "default deny" policy. We are not in the court and service denial is not death penalty, so, presumption of innocence doesn't apply here
I am going to download IP range lists (thank you, nske!) for ALL countries EXCEPT those I want to block, and use them as ALLOW lists in one of those Windows personal firewalls that you have so graciously recommended to me.
If I find out that these lists are incomplete, I will be adding more entries.
Thank you, gentlemen, and let me come back to you if things don't work out that way
I am going to download IP range lists (thank you, nske!) for ALL countries EXCEPT those I want to block, and use them as ALLOW lists in one of those Windows personal firewalls that you have so graciously recommended to me.
If I find out that these lists are incomplete, I will be adding more entries.
Thank you, gentlemen, and let me come back to you if things don't work out that way
19 years 7 months ago #8144
by housefrau
There are not too many free SOCKS proxies available which are required to establish TCP/IP connection other than HTTP/FTP/SMTP. My listening application uses its own protocol - it can't be established with a HTTP proxy. Also, I don't think that the users to be banned will figure that they are banned by location. They will simply try to use someone else's service rather than switch to a SOCKS proxy abroad.
P.S.
Replied by housefrau on topic Re: Firewall that blocks connections by country?
consider proxies etc).
There are not too many free SOCKS proxies available which are required to establish TCP/IP connection other than HTTP/FTP/SMTP. My listening application uses its own protocol - it can't be established with a HTTP proxy. Also, I don't think that the users to be banned will figure that they are banned by location. They will simply try to use someone else's service rather than switch to a SOCKS proxy abroad.
I think you are right here, but on the other hand, this is a mammoth task indeed, as the list of potentially useful locations is much bigger than the list of "banned". Still, I think i'll have to do it your way.Why not just have a firewall that ALLOWS access to your target user group (I'm sure you'll have network addresses for these), and then disallow all else ?
Doesn't that sound like a better idea ?
P.S.
Let me make clear one more thing about my problem: I want to block connections only for one service application (the one that I said is listening on a specific port), but I still want to be able to browse web pages in the "banned" countries, so anything lower than application layer will NOT work for me...If you just want to block connections based on IP addresses and TCP/UDP ports, then you just need a firewall that works at the network and transport layer -like most firewalls.
19 years 7 months ago #8145
by nske
Replied by nske on topic Re: Firewall that blocks connections by country?
On the other hand, geographical location is still not supposed to be a secure factor. Certainly not allowing connections from locations where you are not interested to offer your service is a move that will limit threats based on random scans, but depending how big and importand what you provide is, you may want to implement more secure policies -like having your clients to authenticate through a web form before they are added in your firewall's "whitelist".
19 years 7 months ago #8146
by housefrau
Replied by housefrau on topic Re: Firewall that blocks connections by country?
nske, certainly there are other security measures - the primary ones It's just I can't fully rely on those ones, because of the nature of my service Geolocation factor will be an extra measure, and still I think it is a valuable one in my case.
19 years 7 months ago #8151
by housefrau
I've jsut figured that Windows Firewall that comes with Windows XP SP2 can accept custom comma-delimited IP range list with the "netsh firewall" command, but I have to find out whether or not it can swallow really large lists. I bet it doesn't.
Replied by housefrau on topic Re: Firewall that blocks connections by country?
Unfortunately, IPFW seems to be NOT an application layer firewall...I don't know about windows software -again perhaps someone can recommend a windows firewall that supports that-, but I believe the windows version of IPFW ( wipfw.sourceforge.net ) would do just fine! ;)
I've jsut figured that Windows Firewall that comes with Windows XP SP2 can accept custom comma-delimited IP range list with the "netsh firewall" command, but I have to find out whether or not it can swallow really large lists. I bet it doesn't.
Time to create page: 0.135 seconds