Comment by Fnoord
5 days ago
Literally impossible? On the contrary; Geofencing is easy. I block all kind of nefarious countries on my firewall, and I don't miss them (no loss not being able to connect to/from a mafia state like Russia). Now, if I were to block FAMAG... or Cloudflare...
Yes, literally impossible. The barrier to entry for anyone on the internet to create a proxy or VPN to bypass your geofencing is significantly lower than your cost to prevent them.
I don’t even understand where this line of reasoning is going. Did you want a separate network blocked off from the world? A ban on VPNs? What are we supposed to believe could have been disallowed to make this happen?
There are a lot of lists around for known VPN endpoints and datacenter IP address ranges, that people use to reduce error rates in ip address to location lookups. That cannot possibly itself be 100% effective, but it can probably drop the error rate of semi-technical users switching their VPN location to circumvent your geo blocking by an order of magnitude or two. It certainly won't stop a sufficiently motivated technical of malicious user.
Actually, the 140k Tor exit nodes, VPNs, and compromised proxy servers have been indexed.
It takes 24 minutes to compile these firewall rules, but the black-list along with tripwires have proven effective at banning game cheats. Example, dropping connections from TX with a hop-count and latency significantly different from their peers.
Preemptively banning all bad-reputation cloud IP ranges except whitelisted hosts has zero impact on clients. =3
I don't have a filter list for compromised proxy servers and VPNs. Do you have a link? I'd be interested in logging such. For Tor, I use [1] (formats in json, txt, md) on OPNsense, but I've also been able to indeed simply parse ASNs (which I currently use for "Twitter, Inc.").
> Preemptively banning all bad-reputation cloud IP ranges except whitelisted hosts has zero impact on clients. =3
This. There's outbound and inbound, and it is very unlikely your print server requires connections from Russia or China (to name an example). You're probably better off making a whitelist, jumphost, or using a VPN with proper authentication to access your services.
Outbound, now that is more difficult to assess. On a desktop, I like a personal firewall for that purpose. Little Snitch on macOS and Open Snitch on Linux have helped me a lot here, but ultimately your hardware firewall is probably lenient on outgoing connections, when you should ask yourself does my network require this, or are they better off with only a HTTP(S) proxy by default?
[1] https://github.com/7c/torfilter
1 reply →
I don't understand why you want to allow any random guy anywhere in the US but not people country hopping on VPNs. For your air machine infrastructure.
It's a bit weird that you can't do this simple thing, but what's the motivation for this simple thing?
It is definitely "literally impossible" if your acceptable false positive and false negative rates are zero.
Having said that, vanishingly few companies/projects require that. For probably 99+% of websites, just using publicly available GeoIP databases to block countries will work just fine, so long as you don't pretend to yourself that North Korean or Chinese or Russian (or wherever) web users (or attackers) cannot easily get around that. And you'll also need to accept that occasionally a "local/wanted" user will end up with an IP address that gets blocked due to errors in the database.
I worked on a project a decade or so back where we needed to identify which (Australian) state a website user was in, to correctly display total driveaway prices including all state taxes/charges (stamp duty, ctp insurance, and registration) for new cars. The MaxMind GeoIP database was not all that accurate at a state or city level, especially for mobile devices with CGNATed IP addresses. We ended up with "known errors and estimates of error rates", and a way for our Javascript to detect some of the known problems (like Vodafone's national CGNAT IP addresses) and popped up a "We detected you're in NSW, and are displaying NSW pricing. Click here to change state." message where we could, and got legal signoff that we could claim "best effort" at complying with the driveway price laws. 100% compliance with the laws as-written was "literally impossible" with zero error rates.