David Foxworth
Member
- Joined
- Oct 26, 2013
- Messages
- 69
- Reaction score
- 23
Wanted to offer up a suggestion concerning the firewall and use of ipsets. I see currently it is configured to block China, Russia, Palestine, N Korea, Ukraine, Moldavia.
Anyway, rather than blocking those countries specifically, how about using this type of logic:
/sbin/iptables -A INPUT -p tcp -m set ! --match-set us src -j DROP
/sbin/iptables -A INPUT -p udp -m set ! --match-set us src -j DROP
This is using the reverse logic of "! --match-set", in other words drop all packets that are not from the US. I realize this would only work for someone in the US that wanted to block all other countries but the US. In my case, I don't have any reason for International calls and therefore no reason to connect to a SIP provider outside the US.
I realize this is extreme and probably not for everyone, just a thought though...
Anyway, rather than blocking those countries specifically, how about using this type of logic:
/sbin/iptables -A INPUT -p tcp -m set ! --match-set us src -j DROP
/sbin/iptables -A INPUT -p udp -m set ! --match-set us src -j DROP
This is using the reverse logic of "! --match-set", in other words drop all packets that are not from the US. I realize this would only work for someone in the US that wanted to block all other countries but the US. In my case, I don't have any reason for International calls and therefore no reason to connect to a SIP provider outside the US.
I realize this is extreme and probably not for everyone, just a thought though...