Hi Witold Am 11.03.2020 um 07:21 schrieb Witold Tosta: > W dniu 2020.03.10 o 19:59, Tom Eastep pisze: >> >> Obviously the CN database is being found, since the rule is being >> installed. If you can't find anything, please send me a full dump and >> I'll take a look... >> >> -Tom > > Hi Everyone, > > I admit that I was a bit surprised that the xt_geoip functionality works > incorrectly. At home on Slackware Linux I use a different approach to > using xt_geoip. Namely, in the policy file I have set all incoming > connections to DROP > > /etc/shorewall/policy > # Internet policies > net all DROP NFLOG # log through ulogd > > and, for example, I only allow traffic from a given country to SSH. > Example of /etc/shorewall/rules > > # Allow incoming ECHO (only from PL) and rate it to one per second > Ping(ACCEPT) net:^[PL] $FW - - - - 1/sec > > # Allow incoming SSH connections for administration > SSH(ACCEPT) net:^[PL] $FW > > Although this should probably not make a difference, whether I refuse > calls from a given country or just a country I allow, I have never had > problems using xt_geoip from the xtables-addons package.
Have you tested this with traffic from another country? In my case the DROP rule is applied incorrectly, e.g. all the time. The same would probably be true for an ALLOW rule. Where did you get your iv4 files from? regards Erich
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
