I would like to announce a new feature released to nethserver-blacklist (Treat shield), the GeoIP blocking. For now this feature is only available with the CLI, we have a documentation. Geo-blocking is disabled by default.
This feature allow to block countries by ipset of subnet that you download to ipdeny.com each night.
Yippee, that are great news. Thanks a lot for the integration.
Currently jused a cron job to download an ipdeny.com zone and manually(!) put it to the right place (well at least to the place where I was able to activate the list within the gui if needed )
That will make adjustments way easier!
Well, I think I’ve tampered a bit too much within my system going the way of manually adding some geoip blockings
After I’ve updated nethserver-blacklist to v 1.2.0-1.ns7 (prior v 1.1.8-1.ns7) and enabled geoip feature according to the documentation it bailed out at
signal-event nethserver-blacklist-save geoips
In the journal, the following was logged:
Mar 17 18:59:13 redacted.my.fqdn esmith::event[15281]: /usr/share/nethserver-blacklist/download: line 38: /usr/share/nethserver-blacklist/geoip: No such file or directory
Mar 17 18:59:13 redacted.my.fqdn esmith::event[15281]: Action: /etc/e-smith/events/nethserver-blacklist-save/S20nethserver-blacklist-conf FAILED: 127 [0.23322]
However, looking at /usr/share/nethserver-blacklist/geoip the file existed with sane content (counter-checked on a virgin nethserver)
As soon as I disabled geoip blocking in e-smith the save-event ran gratiously.
Long story short: A complete removal and reinstall afterwards of ThreadShield corrected everything and now its up and running… well country-blocking
My experience with GeoIP was not so strait forward, but doesn’t have anything with the implementation. The certificate of ipdeny.com has expired May 19 2021, so if you activate this feature after this date, the download of countries subnet is not working.
The workaround (at least for me) was to exclude the cert verification of wget in the /usr/share/nethserver-blacklist/geoip script in the section #download and extract with adding --no-check-certificate.
I do know it is not elegant, but until ipdeny.com doesn’t update the certificate, the download will work and you can use GeoIP as advertised.
On this subject, I was wondering whether this capability of country ip blocks from ipdeny.com can be replaced with libloc from IPFire? After all, IPFire is a firewall distribution, alive project and open source. Just an idea.
thank to give back a bug We will patch our rpm. liblock is an executable and we just use network list from ipdeny.com with ipset. I worry that the gap is bigger