Foreign Country IP Blocking Dynamic List / Geo Blocking
Most Firewalls allow you to select which countries you would like to block. I can manually add a subnet but each country generally has like 200 subnets to type in. It would nice to select what countries you would like to block and have that list part of a definition file that gets updated like the content filter.
Any updates Smoothwall on this? I keep getting alerts about "access attempts" from unsavory locations and it is really starting to concern me.
I got the same questions. A unanimous yes as well.
Nick Kershaw commented
These were the recent questions, Its a yes to all for us!
What do you need?
1. Block web access to sites in a list of countries
2. Block non-web (firewall) access to hosts in a list of countries
3. Block IPs in a list of contries from accessing devices behind your firewall (ie block on port forwards)
4. Something else
Just got an email asking me a question from Smoothwall regarding this post. My reply is below.
We created 2 firewall rules. Blocked IPs inbound and Blocked IPs Outbound. They are the same list.
We have a Single Access Object Manager entry labeled “Blocked IP ALL” that is applied to the above.
In Blocked IP ALL we have many Country specific Access Object Manager entries. Example = Blocked IP China, Blocked IP Russia, Blocked IP South America, Blocked IP TOR, Blocked IP Amazon, Blocked IP USA.
I setup 2 honey pot ports TCP 3389 and TCP 443 that if accessed make it to my list of addresses to block. Then I use Robtex to lookup the IP range of the ISP and add said range to our block lists.
Alex, it is definitely a sore point of contention. I hope we can all keep this thread alive so that it doesn't get dropped to the bottom rung in regards to SW future planning.
Alex St. Pierre commented
It's been a couple years on my original request, I do say that we have run into a couple recent incidents where it would have been nice that we could block specific countries. I wouldn't even care if it's for Content Filter Webpages, I am more concerned on Pass Through Traffic, for example we host email, if I could block Russia and North Korea IPs that would put a huge load off our spam filter.
I am glad others are posting that they want this feature as well.
This was / is a burning issue for us as well. Here's what I settled on implementing...
Originally I created a list of IP ranges to block using this website https://www.countryipblocks.net/acl.php
However, if you block Africa and Asia for example, that's 87,000+ IP ranges. Far too many I'd guess to expect my firewall to process efficiently. And certainly not practical to enter one-by-one via the web UI.
Instead, you can grab a more consolidated / generic list:
For Asia Pacific: https://www.apnic.net/manage-ip/manage-resources/address-status/apnic-resource-range/
For Africa: https://www.afrinic.net/services/rs/managing-ip-number-resources
Still a pain to enter one-by-one, but I got it done in maybe 20 minutes
Also, when I contacted support about this, I did get an engineer at SmoothWall to provide a script they use internally and with customers that allows you to do a bulk upload via python script and CSV using the CLI. It comes with the typical buyer beware warning, but a script does exist if you want to do a more robust list of IP ranges. In the end I just chose the more consolidated list figuring it will kill off most of the bad stuff and I'll supplement with the occasional manual block as needed.
Hope this helps others
I'm sorry to hear that it is not realistically on the radar then. It is disappointing to hear this. For me this is a "must have" security feature. I will unfortunately have to take this as my sign to start evaluating a replacement product. I think that the web filter component works pretty well, but I need an equally vigilant and robust firewall as well.
Patrik Farsang commented
Apologies for not coming back to you all sooner - it's been a hectic week here at Smoothwall!
I've had a chat with the team internally and the conclusion is this:
We think that Geo Blocking is a great idea and we do want to do it. However, with all the work that's currently in the pipeline, we can't commit to when this feature will make it into the product.
I appreciate this is probably not the answer you were hoping for, and I can only apologise for this.
In the future,I will make sure that any updates on this feature request will be posted on here to keep you all informed.
I would settle for quick and dirty over nothing at this point in time. I look forward to some update from Smoothwall regarding this matter. We were promised an update some time this week so I will be very curious to see what they have to say.
Seriously, ever try to find an IP address that was logged two months ago? Moving by hr is a joke. It should be a simple search engine style search that shows all entries for said IP.
David, good luck with another company being responsive to requests. Once a company gets big it's all a committee and drags on. I just wish the smoothwall developers actually used the product vs others and they would see where to make improvements before we even ask.
Providing the AS number in the Geo block logs of the block an IPs would be a quick solution. Then we could use robtex to get more information if we should allow an IP range that was blocked by geolocation or not.
David Sadowski commented
Same for us - we'll be trying to swich to other brands that are more responsive to customers' requests.
Translation, 10 years from now our firewall will have this. How about a quick and dirty solution first and refinement to perfection later. I've sold smoothwall products joel and I'm the only one of my clients still using it... mainly because I have layers of the products I think do each job the best. Most want an all in one solution. I'd love smoothwall to be that all in one solution but unfortunately isn't since 2007.
Joel Öman commented
What I mean is this is quite a difficult and big project.
We have completely different expectations for a geofilter than eg. pfsense etc.
It must be extremely easy to correct errors such as "Blocklist Feedback" works today.
First, we obviously want the geo function to work in the web filter. So we need one more argument in Web filter policies "to where".
This is to be able to utilize what makes Smoothwall unique, with its Who, What, Where, When and Action Web filter policies.
This also means that it becomes easier to warn people with eg. Soft block and debugging becomes quite easy.
The partner Smoothwall chooses should also have very good control over the large companies' IP addresses.
Then you might want to allow the user to read mail from other countries during a malfunction. In November last year, a major supplier of mail was affected by load problems after an update in Europe. They then created new insiders in the US and Asia to control the traffic there. At least one of our customers could not access the new servers first because they were in Asia.
The partner also needs to have a good check on social media such as facebook, twitter etc. Since they often move the load between different countries.
It must be a very detailed list of eg. Google and Microsoft so that you can, for example, allow mail but block eg Azure from Asia.
When it comes to firewall rules, it is much easier for there we already have "Address object manager" that can be used with Source IPs and Destination IPs.
But that may be enough in the first step, but then our customers want automation to shut down different regions at a possible. attack.
I think this should be done with a new module under IPS.
I know that Smoothwall has looked at geo IP for a long time, so they probably know very well what is needed, but as said better to do right from the beginning.
So customers immediately understand how it is supposed to work and that reports and troubleshooting tools are in place.
Joel Öman commented
Christopher. I do not work for Smoothwall, but we are distributor in Sweden since a very long time.
We obviously want Smoothwall to have many good features at an attractive price.
If I remember correctly, it was about 2 years ago, we looked at geo IP to a customer's Internet of Things firewall and then I think GeoLite2 would be free the first year, then each end-user self-purchase license if they wanted...
But as I said, this is a question for Smoothwall to find the right supplier, at the right price.
I just find it hard to believe that this is something people have been asking for for a long time and we were told in this very thread that it was on your radar as of July 2017 and yet we are now told it is being brought up to your product managers for review just now because of the activity on this thread? I understand that there is a right way and a quick way to do it, but seriously, this is not something that "just came up". I want to know what your plans are for this feature. I would at least be happy with an implementation timeline.
If i remember correctly my smoothie in the early 2000s had this.
Patrik Farsang commented
I've raised the activity this feature request has been getting to our product managers and we will review the work it would require from our part to implement this into the product.
Joel is right in saying that this is not an easy job - it may seem like so, but it is another thing to maintain and update, and of course as with anything, there is normally a very quick way to do something, and there is the right way to do something.
I will post another update here next week, once an internal discussion has taken place.