Comment by stroebs
5 days ago
Yes, literally impossible. The barrier to entry for anyone on the internet to create a proxy or VPN to bypass your geofencing is significantly lower than your cost to prevent them.
5 days ago
Yes, literally impossible. The barrier to entry for anyone on the internet to create a proxy or VPN to bypass your geofencing is significantly lower than your cost to prevent them.
I don’t even understand where this line of reasoning is going. Did you want a separate network blocked off from the world? A ban on VPNs? What are we supposed to believe could have been disallowed to make this happen?
There are a lot of lists around for known VPN endpoints and datacenter IP address ranges, that people use to reduce error rates in ip address to location lookups. That cannot possibly itself be 100% effective, but it can probably drop the error rate of semi-technical users switching their VPN location to circumvent your geo blocking by an order of magnitude or two. It certainly won't stop a sufficiently motivated technical of malicious user.
Actually, the 140k Tor exit nodes, VPNs, and compromised proxy servers have been indexed.
It takes 24 minutes to compile these firewall rules, but the black-list along with tripwires have proven effective at banning game cheats. Example, dropping connections from TX with a hop-count and latency significantly different from their peers.
Preemptively banning all bad-reputation cloud IP ranges except whitelisted hosts has zero impact on clients. =3
I don't have a filter list for compromised proxy servers and VPNs. Do you have a link? I'd be interested in logging such. For Tor, I use [1] (formats in json, txt, md) on OPNsense, but I've also been able to indeed simply parse ASNs (which I currently use for "Twitter, Inc.").
> Preemptively banning all bad-reputation cloud IP ranges except whitelisted hosts has zero impact on clients. =3
This. There's outbound and inbound, and it is very unlikely your print server requires connections from Russia or China (to name an example). You're probably better off making a whitelist, jumphost, or using a VPN with proper authentication to access your services.
Outbound, now that is more difficult to assess. On a desktop, I like a personal firewall for that purpose. Little Snitch on macOS and Open Snitch on Linux have helped me a lot here, but ultimately your hardware firewall is probably lenient on outgoing connections, when you should ask yourself does my network require this, or are they better off with only a HTTP(S) proxy by default?
[1] https://github.com/7c/torfilter
>I don't have a filter list for compromised proxy servers and VPNs.
Someone just joined the nuisance forums, and grabs the same Socks/Telegram proxy list they all use (mostly old infected/open servers.) When it comes to firewall rules it is a sensitive matter, and depends on the firewall setup (black-hole bans are generally considered rude, as even handshakes are lost.)
For fairly recent personal ban lists could try:
https://github.com/bitwire-it/ipblocklist
https://www.iblocklist.com/lists
And a Pi-hole router as a DNS sinkhole:
https://github.com/pi-hole/pi-hole
Sanitizing IP lists both before and after parsing is important, and checking for malformed or whitelisted blocks is wise.
>Outbound, now that is more difficult to assess
SELinux and firewall rules will handle that just fine for services, but is cumbersome for desktop users. In general, most just try "unshare -r -n /home/$USER/someApp" or a sandbox/VM to prevent some useful user-space program from connecting to the web.
Dumping local traffic with wireshark or iftop is also rather common practice.
Best of luck, =3
I don't understand why you want to allow any random guy anywhere in the US but not people country hopping on VPNs. For your air machine infrastructure.
It's a bit weird that you can't do this simple thing, but what's the motivation for this simple thing?