Table of Contents
Firewall management
Similar subject: Block registration from the country by removing it from registration list
Firewall uses subdomain lists we will use example domain market.com :
- List "common" - common subdomains like www.market.com, market.com,sandbox.market.com etc
- List "admin" - admin.market.com access
- Optional lists: admin2, admin3 etc to granulate access for multiple admin servers in different countries/continents
If you need to further granulate the access to subdomains - let us know
Each list has default value:
- allow (allow all except blocked)
- deny (block all except allowed)
- removed (default settings deactivated)
Lists are executed in order: (example for admin):
- admin.country
- admin.range (overrides country!!!)
!!! IMPORTANT !!! DONT USE DEFAULT in range list without fully understanding the implications In most cases you will be OK just deactivating ranges default altogether.
Examples for admin
Block all traffic except 123.123.12.12
- admin.country - irrelevant, you can leave it as is.
- admin.range - default deny, 123.123.12.12 allow (country settings will be completely overridden)
Allow all traffic from everywhere
- admin.country - default inactive, removed entries with deny
- admin.range - default inactive, removed entries with deny
Allow all traffic from UK, block the rest
- admin.country - default deny, UK allow
- admin.range - default inactive, removed UK entries with deny
Allow all traffic from UK, but block single UK IP: 110.23.23.23
- admin.country - default deny, UK allow
- admin.range - default inactive, 110.23.23.23 deny
Allow all traffic except UK
- admin.country - default allow, UK deny
- admin.range - default inactive, removed entries with deny
Allow all traffic except UK, allow single UK IP: 110.23.23.23
- admin.country - default allow, UK deny
- admin.range - default inactive, 110.23.23.23 allow
Whenever possible, block ranges not countries for admin access
- Country GeoIP databases certainly lags behind with updates
- Proxy and VPN providers might have misleading location info
- GeoIP will not protect against reserved/military/governmental/corporate IPs
- GeoIP doesnt work on local networks, company VPN infrastructure etc.
- GeoIP doenst work on internal IP ranges.