Closed zynexiz closed 3 years ago
dvershinin
commented
3 years ago This shouldn't be the case, because what fds merely does is adding the ipset of a country to the drop zone of FirewallD.
The drop zone, as documented here:
drop Any incoming network packets are dropped without any notification. Only outgoing network connections are possible.
It operates on incoming traffic. There's no blocking of outgoing traffic to begin with.
I'd suspect your test was flawed in some way.
zynexiz
commented
3 years ago Not sure how the drop zone handle related connections, have to look into that. It seems that the traffic out works, but the returning data is dropped because of the rules.
dvershinin
commented
3 years ago You may be thinking in iptables terms. Even then this seems incorrect to me.
An ESTABLISHED or RELATED as explained here are for when the packets either flow in two ways or marked as related.
When you use GitHub API on your own server, for example, there is no connection back from GitHub servers to the requesting side (your server), so it's a purely outgoing connection. :/
I just tested it on my server/gateway at home, works very well on blocking entire countries. To well.
It sure do block access from a specific country, but it also block outgoing connections to that country. If I block fx. US, I can not access anything coming from there (DuckDuckGo, GitHub etc). Option to accept RELATED ESTABLISHED connections should be allowed when initialized from "the inside", and only block access from new connections made from the outside.