Block Country Feature Request

[bcording]

I don't know if this would be in the firewall, web filter, spam filter or what, but the ability to outright block access to entire countries could be useful. I know this may sound harsh, but it's something I'm looking at doing. I see it working like this...

The TLD could be blocked...like .cn for all outgoing via web filter.

A list of IPs associated with that country could be obtained from APNIC and block all outgoing and incoming via the firewall.
http://www.apnic.net/apnic-bin/ipv4-....pl?country=cn

This could also become usefull if a TLD of .xxx is ever instituted.

[sky-knight]

Didn't we just go through this? Or perhaps it's late and you're honestly new...

Anyway for some reason beyond me the web filter can't block TLD's... no filter I've ever used lets you do this unless you deny the whole of the internet and start adding things back. But, of course then you can't just allow the TLD you want just like you can't block it. I would love to see this kind of control myself. There is simply no reason for a SMB in the US to be communicating with China... or India.. or anywhere else over seas for that matter. I've had exactly 1 customer with legitimate international connections. It would be handy if we could limit access to known dangerous name spaces, especially if the customer's business model isn't including that market.

[fixxser]

Can't there be a feature to just allow US IP's? I am new, so if someone would be so kind to explain if this is not possible.

[sky-knight]

The IP to geographic region map isn't entirely reliable. And often, US based companies use overseas hosting providers.

That said, it would be nice to kill all access to the .cn domain...

[dcbour]

There's a number of geo ip lookups out there. I've been thinking about this myself for a long time, if anything, to shut down the spam that's not part of the spamhaus block lists et al. I've one client with 80k spam a day hitting their box. Geo filtering before hitting the spam engine would reduce that to less than 5000. Once that was done, I stand a chance of finding a legitimate issue in the results because right now, there's way too much noise in there.
Two approaches. A new node which adds overheat to the system, but maintains the integrated logging, etc (if that's desired) and iptables filtering at the front end. The second, iptables filtering can be done easily enough already. See http://fixingtheweb.com/ for a script to run on your iptables to do it.
D.