Hot Downloads



The forum is in read only mode.
Welcome, Guest
Username: Password: Remember me

TOPIC: Firewall that blocks connections by country?

Re: Firewall that blocks connections by country? 14 years 7 months ago #8142

Default deny vs. default allow is a very tough quesiton in my case. See, I actually want to BLOCK conenctions coming from one or two specific countries and ALLOW it to EVERYONE else. BUT! I don't know what to do with those whose location is UNCERTAIN! DEfault deny? I would block too much users without ground. Default allow? Then what's the point of this firewall at all, if you let too many those "banned" users to slip through it?

Re: Firewall that blocks connections by country? 14 years 7 months ago #8143

Okay, I guess you convinced me to use the "default deny" policy. We are not in the court and service denial is not death penalty, so, presumption of innocence doesn't apply here :)

I am going to download IP range lists (thank you, nske!) for ALL countries EXCEPT those I want to block, and use them as ALLOW lists in one of those Windows personal firewalls that you have so graciously recommended to me.
If I find out that these lists are incomplete, I will be adding more entries.

Thank you, gentlemen, and let me come back to you if things don't work out that way :)

Re: Firewall that blocks connections by country? 14 years 7 months ago #8144

consider proxies etc).

There are not too many free SOCKS proxies available which are required to establish TCP/IP connection other than HTTP/FTP/SMTP. My listening application uses its own protocol - it can't be established with a HTTP proxy. Also, I don't think that the users to be banned will figure that they are banned by location. They will simply try to use someone else's service rather than switch to a SOCKS proxy abroad.

Why not just have a firewall that ALLOWS access to your target user group (I'm sure you'll have network addresses for these), and then disallow all else ?

Doesn't that sound like a better idea ?

I think you are right here, but on the other hand, this is a mammoth task indeed, as the list of potentially useful locations is much bigger than the list of "banned". Still, I think i'll have to do it your way.


If you just want to block connections based on IP addresses and TCP/UDP ports, then you just need a firewall that works at the network and transport layer -like most firewalls.

Let me make clear one more thing about my problem: I want to block connections only for one service application (the one that I said is listening on a specific port), but I still want to be able to browse web pages in the "banned" countries, so anything lower than application layer will NOT work for me...

Re: Firewall that blocks connections by country? 14 years 7 months ago #8145

  • nske
  • nske's Avatar
  • Offline
  • Expert Member
  • Expert Member
  • Posts: 613
  • Thank you received: 0
On the other hand, geographical location is still not supposed to be a secure factor. Certainly not allowing connections from locations where you are not interested to offer your service is a move that will limit threats based on random scans, but depending how big and importand what you provide is, you may want to implement more secure policies -like having your clients to authenticate through a web form before they are added in your firewall's "whitelist".

Re: Firewall that blocks connections by country? 14 years 7 months ago #8146

nske, certainly there are other security measures - the primary ones :) It's just I can't fully rely on those ones, because of the nature of my service 8) Geolocation factor will be an extra measure, and still I think it is a valuable one in my case.

Re: Firewall that blocks connections by country? 14 years 7 months ago #8151

I don't know about windows software -again perhaps someone can recommend a windows firewall that supports that-, but I believe the windows version of IPFW ( ) would do just fine! ;)

Unfortunately, IPFW seems to be NOT an application layer firewall...

I've jsut figured that Windows Firewall that comes with Windows XP SP2 can accept custom comma-delimited IP range list with the "netsh firewall" command, but I have to find out whether or not it can swallow really large lists. I bet it doesn't.
Time to create page: 0.110 seconds


Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V


  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup