Results 1 to 5 of 5
  1. #1
    Untanglit
    Join Date
    Oct 2008
    Location
    Southern California
    Posts
    27

    Default Block Country Feature Request

    I don't know if this would be in the firewall, web filter, spam filter or what, but the ability to outright block access to entire countries could be useful. I know this may sound harsh, but it's something I'm looking at doing. I see it working like this...

    The TLD could be blocked...like .cn for all outgoing via web filter.

    A list of IPs associated with that country could be obtained from APNIC and block all outgoing and incoming via the firewall.
    http://www.apnic.net/apnic-bin/ipv4-....pl?country=cn

    This could also become usefull if a TLD of .xxx is ever instituted.

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,497

    Default

    Didn't we just go through this? Or perhaps it's late and you're honestly new...

    Anyway for some reason beyond me the web filter can't block TLD's... no filter I've ever used lets you do this unless you deny the whole of the internet and start adding things back. But, of course then you can't just allow the TLD you want just like you can't block it. I would love to see this kind of control myself. There is simply no reason for a SMB in the US to be communicating with China... or India.. or anywhere else over seas for that matter. I've had exactly 1 customer with legitimate international connections. It would be handy if we could limit access to known dangerous name spaces, especially if the customer's business model isn't including that market.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    Newbie
    Join Date
    Mar 2009
    Posts
    2

    Default

    Can't there be a feature to just allow US IP's? I am new, so if someone would be so kind to explain if this is not possible.

  4. #4
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,497

    Default

    The IP to geographic region map isn't entirely reliable. And often, US based companies use overseas hosting providers.

    That said, it would be nice to kill all access to the .cn domain...
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  5. #5
    Master Untangler
    Join Date
    Aug 2008
    Posts
    111

    Default

    There's a number of geo ip lookups out there. I've been thinking about this myself for a long time, if anything, to shut down the spam that's not part of the spamhaus block lists et al. I've one client with 80k spam a day hitting their box. Geo filtering before hitting the spam engine would reduce that to less than 5000. Once that was done, I stand a chance of finding a legitimate issue in the results because right now, there's way too much noise in there.
    Two approaches. A new node which adds overheat to the system, but maintains the integrated logging, etc (if that's desired) and iptables filtering at the front end. The second, iptables filtering can be done easily enough already. See http://fixingtheweb.com/ for a script to run on your iptables to do it.
    D.
    Dave Bour
    Desktop Solution Center
    Burlington, ON, Canada
    www.desktopsolutioncenter.ca
    905.381.0077 X501

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2