Blocking access from Russia to our servers on invasion of Ukraine

I am responsible for various more or less popular web sites. I am the developer of tools for IP based Geo-blocking and Geo-routing on FreeBSD servers. These tools can be easily employed for Geo-blocking Russia at the firewall IPFW. Here I show how.

1. Enter the terminal of your FreeBSD server and become root.
2. Install the sysutils/ipdbtools from the ports or the pkg repository:
     pkg install ipdbtools
  ipdb-update.sh
3. Add to your stateful ipfw(8) configuration the following commands which utilize the IP lookup tool ipup(1) for generating the block table – this must come before any rules allowing any traffic:
     ...
  /sbin/ipfw -q table all destroy
  ...
  ...
  # Geo blocking of Russia using an ipfw table
  /sbin/ipfw -q table 66 create
  /usr/local/bin/ipup -t RU -n 66 | /sbin/ipfw -q /dev/stdin
  /sbin/ipfw -q add 66 deny tcp from table\(66\) to any in recv $LAN setup
  /sbin/ipfw -q add 66 deny udp from table\(66\) to any in recv $LAN

It is quite easy to add more pariahs to the block table 66 as well. For example, in case China decides to invade Taiwan, we would add it like follows:
  ...
  /usr/local/bin/ipup -t RU,CN -n 66 | /sbin/ipfw -q /dev/stdin
  ...

Update 2022-02-21

Alright, the invasion is going to happen and Russia is blocked on my sites from now on.

Russian citizens who use VPN for circumventing the block, are welcome, because they show to some extend that they do not abide to everything enforced by their regime.

Copyright © Dr. Rolf Jansen - 2022-02-17 21:19:12

Discussion on Twitter: 1494420687095803910