How to restrict access from some geographic zone?

Hi.
I’m a happy Comodo firewall user.
I’m just wondering if there is an easy way to prevent incoming connections from some geographic zone, let say, by example, Russia or China.
Best regards.

I mean something like this:
http://www.lonewolfdesigns.co.uk/block-website-access-country/
But for the firewall.

It would require multiple entries per country, as multiple address ranges are asigned to each country.

As an example, Djibouti is a smallish African country that is assigned the following address ranges (shown in CIDR format where the last value is the number of bits assigned within the range);
41.189.224.0/19
91.151.146.64/29
193.251.143.0/24
193.251.167.0/26
193.251.167.64/27
193.251.167.96/28
193.251.224.0/25
193.251.224.128/26
193.251.224.192/28
193.251.224.208/29
196.201.192.0/20
213.144.175.0/25
213.187.131.168/29

If you want to block, for example, the Russian Federation, you would need to have 5107 entries.

Please note that blocking by country assigned IP address does not take into consideration that a site owned by a resident of country X could easily be hosted on a server in country Y.

Cheers,
Ewen :slight_smile:

OMG, that doesn’t seem “easy” to me. There isn’t an easy way?.
What about this:
http://blog.fwbuilder.org/2009/02/how-to-block-ip-addresses-from-any.html
Thank you, Ewen.

AFAIK, there isn’t an easier way to do this is CIS.

The article you linked to is pretty interesting - thank for the link. Unfortunately, it is suitable only for Unix systems where you are saetting up a dedicated firewall for a LAN.

Ewen :slight_smile:

the easy way is simply to block all unrequested ingoing attempts anyway!

do you run a server? make the exceptions.
do you use p2p? make the exceptions.

all other unrequested ingoing requests can be blocked by using the stealth port wizard setting 3: “hide me from everyone”.
its so easy :wink:

I agree, but the OP was asking about blocking specific geographic regions, not just unsolicited inbound requests.

yes, but as long as the topic opener doesnt run a server, maybe he just didnt realized that (unrequested-)ingoing traffic is not needed at all.

it looked to me as if he was worried about specific traffic, but is not aware that he doesnt have to worry about any such traffic … by just blocking it in the first place.

in the case that he runs a server, and tries to forbid specific traffic, he has to go the “difficult way”.