Skynet Whitelist by country code?

Marski69

New Around Here
Is there a way to whitelist on country code?
I use blacklist countrycode and see its intensive work for the router.
I would only like to approve a few countries.
Isn't this also an option that many people would use?

Something with:


Code:
ipset -N geoAllowIP nethash
for IP in $(wget -O  http://www.ipdeny.com/ipblocks/data/countries/{uk,es}.zone)
do
ipset -A geoAllowIP $IP
 

jsbeddow

Senior Member
I have to say that seems like an imprudent suggestion at best: while blacklisting by country codes often leads to breaking more than intended, the reverse, whitelisting by country is effectively saying "I believe there are zero bad actors in (insert_preferred_country_here)".

Do you really believe that to be the case?
 

agilani

Very Senior Member
Agree with jsbeddow, defeats the whole purpose of using skynet. You are better off finding the offending ASN ranges or IP's being blocked and whitelisting those instead (if you are sure they are safe).
 

pignon

New Around Here
Hello,

with the current geo political context, I would like to take measures to only allow incoming connection from specific countries. Indeed, bad actors can still use VPNs and bypass countries whitelisting but this would allow to filter 99% of the "trash traffic" coming from IPs from countries that have absolutely no reason to connect to my webcams (as an example). Is it something that can be considered for skynet vnext ? Thanks !

François
 

jsbeddow

Senior Member
Hello,

with the current geo political context, I would like to take measures to only allow incoming connection from specific countries. Indeed, bad actors can still use VPNs and bypass countries whitelisting but this would allow to filter 99% of the "trash traffic" coming from IPs from countries that have absolutely no reason to connect to my webcams (as an example). Is it something that can be considered for skynet vnext ? Thanks !

François
Use blacklisting of countries as much as you see fit for these purposes (although the more you add, the more likely you are to have unintended consequences, sites not working, etc...).
We are unlikely to see new features added to Skynet, as the original developer (@Adamm) has moved on (a long story involving some thread policy changes on the part of SNBForums).

P.S. Francois Pignon, eh? J'adore le film.:)
 

pignon

New Around Here
Thanks for your response Jsbeddow ! I'll try to fill a bug on the github project page and see how it goes :)

François
 

BreakingDad

Very Senior Member

jsbeddow

Senior Member
Adam is back on the forums actually. Which is great news :)
I did see that he posted a very specific question regarding IP6 support (that was answered by RMerlin), but unless you have seen other active development threads (where he is the primary developer, or is otherwise contributing regularly), I'm not convinced that we can call that being "back on the forums".
 

BreakingDad

Very Senior Member
I did see that he posted a very specific question regarding IP6 support (that was answered by RMerlin), but unless you have seen other active development threads (where he is the primary developer, or is otherwise contributing regularly), I'm not convinced that we can call that being "back on the forums".
13 likes, and 3 posts since January 2022, two year absence before that. Hopefully, as a valued member of the community it's a return. We will see.
 
Last edited:

northumberland

Occasional Visitor
I've used this at times for services I use on the router, look into ipset and iptables - both built in and more than capable.
Tbh though, I'm surprised it's not in skynet already.

S
 

northumberland

Occasional Visitor
Oops, forgot to add: (note the ! Which means isn't in the list <>) this one's blocks pings to all but whitelisted IPS.

ACCEPT icmp -- anywhere anywhere match-set only src icmp echo-request REJECT icmp -- anywhere anywhere ! match-set whitelist src icmp echo-request reject-with icmp-port-unreachable

S
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top