What's new

Skynet Whitelist by country code?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Marski69

New Around Here
Is there a way to whitelist on country code?
I use blacklist countrycode and see its intensive work for the router.
I would only like to approve a few countries.
Isn't this also an option that many people would use?

Something with:


Code:
ipset -N geoAllowIP nethash
for IP in $(wget -O  http://www.ipdeny.com/ipblocks/data/countries/{uk,es}.zone)
do
ipset -A geoAllowIP $IP
 
I have to say that seems like an imprudent suggestion at best: while blacklisting by country codes often leads to breaking more than intended, the reverse, whitelisting by country is effectively saying "I believe there are zero bad actors in (insert_preferred_country_here)".

Do you really believe that to be the case?
 
Agree with jsbeddow, defeats the whole purpose of using skynet. You are better off finding the offending ASN ranges or IP's being blocked and whitelisting those instead (if you are sure they are safe).
 
Hello,

with the current geo political context, I would like to take measures to only allow incoming connection from specific countries. Indeed, bad actors can still use VPNs and bypass countries whitelisting but this would allow to filter 99% of the "trash traffic" coming from IPs from countries that have absolutely no reason to connect to my webcams (as an example). Is it something that can be considered for skynet vnext ? Thanks !

François
 
Hello,

with the current geo political context, I would like to take measures to only allow incoming connection from specific countries. Indeed, bad actors can still use VPNs and bypass countries whitelisting but this would allow to filter 99% of the "trash traffic" coming from IPs from countries that have absolutely no reason to connect to my webcams (as an example). Is it something that can be considered for skynet vnext ? Thanks !

François
Use blacklisting of countries as much as you see fit for these purposes (although the more you add, the more likely you are to have unintended consequences, sites not working, etc...).
We are unlikely to see new features added to Skynet, as the original developer (@Adamm) has moved on (a long story involving some thread policy changes on the part of SNBForums).

P.S. Francois Pignon, eh? J'adore le film.:)
 
Thanks for your response Jsbeddow ! I'll try to fill a bug on the github project page and see how it goes :)

François
 
Adam is back on the forums actually. Which is great news :)
I did see that he posted a very specific question regarding IP6 support (that was answered by RMerlin), but unless you have seen other active development threads (where he is the primary developer, or is otherwise contributing regularly), I'm not convinced that we can call that being "back on the forums".
 
I did see that he posted a very specific question regarding IP6 support (that was answered by RMerlin), but unless you have seen other active development threads (where he is the primary developer, or is otherwise contributing regularly), I'm not convinced that we can call that being "back on the forums".
13 likes, and 3 posts since January 2022, two year absence before that. Hopefully, as a valued member of the community it's a return. We will see.
 
Last edited:
I've used this at times for services I use on the router, look into ipset and iptables - both built in and more than capable.
Tbh though, I'm surprised it's not in skynet already.

S
 
Oops, forgot to add: (note the ! Which means isn't in the list <>) this one's blocks pings to all but whitelisted IPS.

ACCEPT icmp -- anywhere anywhere match-set only src icmp echo-request REJECT icmp -- anywhere anywhere ! match-set whitelist src icmp echo-request reject-with icmp-port-unreachable

S
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top