Firewall that blocks connections by country?

Default deny vs. default allow is a very tough quesiton in my case. See, I actually want to BLOCK conenctions coming from one or two specific countries and ALLOW it to EVERYONE else. BUT! I don't know what to do with those whose location is UNCERTAIN! DEfault deny? I would block too much users without ground. Default allow? Then what's the point of this firewall at all, if you let too many those "banned" users to slip through it?

Okay, I guess you convinced me to use the "default deny" policy. We are not in the court and service denial is not death penalty, so, presumption of innocence doesn't apply here

I am going to download IP range lists (thank you, nske!) for ALL countries EXCEPT those I want to block, and use them as ALLOW lists in one of those Windows personal firewalls that you have so graciously recommended to me.
If I find out that these lists are incomplete, I will be adding more entries.

Thank you, gentlemen, and let me come back to you if things don't work out that way

consider proxies etc).

There are not too many free SOCKS proxies available which are required to establish TCP/IP connection other than HTTP/FTP/SMTP. My listening application uses its own protocol - it can't be established with a HTTP proxy. Also, I don't think that the users to be banned will figure that they are banned by location. They will simply try to use someone else's service rather than switch to a SOCKS proxy abroad.

Why not just have a firewall that ALLOWS access to your target user group (I'm sure you'll have network addresses for these), and then disallow all else ?

Doesn't that sound like a better idea ?

I think you are right here, but on the other hand, this is a mammoth task indeed, as the list of potentially useful locations is much bigger than the list of "banned". Still, I think i'll have to do it your way.

P.S.

If you just want to block connections based on IP addresses and TCP/UDP ports, then you just need a firewall that works at the network and transport layer -like most firewalls.

Let me make clear one more thing about my problem: I want to block connections only for one service application (the one that I said is listening on a specific port), but I still want to be able to browse web pages in the "banned" countries, so anything lower than application layer will NOT work for me...

On the other hand, geographical location is still not supposed to be a secure factor. Certainly not allowing connections from locations where you are not interested to offer your service is a move that will limit threats based on random scans, but depending how big and importand what you provide is, you may want to implement more secure policies -like having your clients to authenticate through a web form before they are added in your firewall's "whitelist".

nske, certainly there are other security measures - the primary ones It's just I can't fully rely on those ones, because of the nature of my service Geolocation factor will be an extra measure, and still I think it is a valuable one in my case.

I don't know about windows software -again perhaps someone can recommend a windows firewall that supports that-, but I believe the windows version of IPFW ( wipfw.sourceforge.net ) would do just fine! ;)

Unfortunately, IPFW seems to be NOT an application layer firewall...

I've jsut figured that Windows Firewall that comes with Windows XP SP2 can accept custom comma-delimited IP range list with the "netsh firewall" command, but I have to find out whether or not it can swallow really large lists. I bet it doesn't.