Block country IPs on all ports

Murus
Post Reply
oizo123
Posts: 15
Joined: Mon Mar 28, 2016 2:25 pm

Block country IPs on all ports

Post by oizo123 » Mon Mar 28, 2016 2:55 pm

Hi!

Just want to run this by you guys to see if I'm thinking correctly.

Let's say I want to block all incoming connections from IP#s originating from a specific country called "A". I update the countries list and add the correct country A to the groups list.

Under the "All Services" I put the group "Country A" in the blocked section.

I now add, lets say, a torrent service, defining ports 6881:6889, and under the Allowed section I enter "Everybody".

The torrent service comes after the "All services" service.

Country A is no longer blocked on the ports defined in the torrent service, correct?

To make sure Country A is blocked on all ports I would have to create a "custom all services" on ports 1:65535 and add it to the end of the managed inbound services and put Country A in the blocked section. Correct?

A solution to this problem would be to add "quick" to the block section of the built in "All Services" service. Or if i could manually edit the expanded PF configuration for specific rules and add the quick part there.

Originally I was sure that if I added specific IPs to the block section of All services they would be blocked completely but when playing around and testing on the outgoing port 80 I found this not to be true, as the last rule is the one that wins unless keyword "quick" is not present.

Looking forward to an answer!

Best regards,
Sebastian

hany
Posts: 484
Joined: Wed Dec 10, 2014 5:20 pm

Re: Block contry IPs on all ports

Post by hany » Mon Mar 28, 2016 6:18 pm

Sebastian,
nice questions :)
Country A is no longer blocked on the ports defined in the torrent service, correct?
correct
To make sure Country A is blocked on all ports I would have to create a "custom all services" on ports 1:65535 and add it to the end of the managed inbound services and put Country A in the blocked section. Correct?
correct, this is a way to do it.
A solution to this problem would be to add "quick" to the block section of the built in "All Services" service.
this feature is implemented in Murus since early betas but is hidden and not usable. That's because it may lead to confusion, it would somehow break the Murus managed services logic. Then, most importantly, there is always another way to achieve the same goals using custom rules.
Or if i could manually edit the expanded PF configuration for specific rules and add the quick part there.
this would be insane :) it can't be done.

Look, I see 3 solutions:
1) if you need to block only inbound connections from nation A just create a custom group for ALL SERVICES, assign "A" to blocked groups and put this service at the end of your ruleset, OR if you need to block both inbound and outbound connections then simply put "A" group in black list.

2) assign nation "A" to your Bittorrent service's blocked group (and repeat this step for all managed services you need to restrict). However this will not have effect on non-managed services.

3) issue a custom rule to block inbound from "A". In custom rules you can refer to groups using their corresponding pf table name. So group for nation "A" can be referred as <A> in PF. Let's say you added group Mordor for nation Mordor, just issue this rule:

Code: Select all

block in proto {tcp, udp} from <Mordor> to any port {1:65535}
Custom rules are always evaluated after managed services' rules, so they will always "win", they don't need the 'quick' option, unless you are dealing with many custom rules which may override themselves.

I hope it helped

oizo123
Posts: 15
Joined: Mon Mar 28, 2016 2:25 pm

Re: Block country IPs on all ports

Post by oizo123 » Mon Mar 28, 2016 7:32 pm

Hey!

Thank you for the detailed reply!

There is no way to put the custom rules on top? To use the "quick" keyword there? =)

When i try to create a custom rule with <Mordor> i get, in the expanded config, {<Mordor>}. It doesn't look like all the other rules where the { } are missing. What am i doing wrong?

I could of course just use the custom service but I wouldn't be learning anything!

You mention putting the country-group in the blacklist. How would I go about doing that? It would have to be done manually?

I trying to do all of this from Murus pro not with the terminal.

//Sebastian

hany
Posts: 484
Joined: Wed Dec 10, 2014 5:20 pm

Re: Block country IPs on all ports

Post by hany » Mon Mar 28, 2016 7:46 pm

There is no way to put the custom rules on top? To use the "quick" keyword there? =)
no, the top part is reserved to hardcoded and option rules, central part for managed services and NAT, final part for custom rules.
However putting a custom quick rule on top or putting a custom normal rule at bottom would have the same effect. And you can use quick option as well if you think you need it :)
When i try to create a custom rule with <Mordor> i get, in the expanded config, {<Mordor>}. It doesn't look like all the other rules where the { } are missing. What am i doing wrong?
you are doing nothing wrong, this is a correct syntax for PF. Brackets are ignored if they contain only one item, so "<Mordor>" and "{<Mordor>}" is the same. Just click PLAY and see, you don't get any error. Open pf browser and verify runtime rules in /murus.custom anchor.
You mention putting the country-group in the blacklist. How would I go about doing that? It would have to be done manually?
just open the black list window and drag a group from group library to black list :)
And click PLAY to reload pf rules, as usual.
To open black list panel click the small road sign on top of group library.
Please note that blacklist blocks outbound connections too.
I trying to do all of this from Murus pro not with the terminal.
that's fine, you should never need to use the terminal when using Murus Pro. :)

oizo123
Posts: 15
Joined: Mon Mar 28, 2016 2:25 pm

Re: Block country IPs on all ports

Post by oizo123 » Mon Mar 28, 2016 8:13 pm

Hehe =) Allright, I have just been so focused on making a rule in the beginning of the list to make sure they were blocked early on. Even if I know that the whole idea with pf is to go through all the rules. Just felt better!

I thought i had clicked every button in the application but had missed the black-list one! Thanks! And with the option to "log blacklisted connections" it is the same as putting a custom service or rule in the incoming and outgoing section. Best solution for me.

I was using afctl before but could not find adequate support/documentation around it.

Thanks for providing not only Murus but support around it as well!

I feel I'm going to be back soon with more questions! =)

Cheers!

hany
Posts: 484
Joined: Wed Dec 10, 2014 5:20 pm

Re: Block country IPs on all ports

Post by hany » Tue Mar 29, 2016 12:29 am

You are welcome Sebastian :ugeek:

Post Reply