A nice feature on VyOS 1.4 would be to be able to create country code groups via geoip. For example :
set firewall group geoip-group GEOIP_BL country 'ru'
set firewall group geoip-group GEOIP_BL country 'jp'
set firewall group geoip-group GEOIP_BL country 'cn'
set firewall group geoip-group GEOIP_BL continent 'asia'
# Blacklist GeoIP
set firewall name WAN-LAN rule 1 source group geoip-group 'GEOIP_BL'
set firewall name WAN-LAN rule 1 action 'drop'
set firewall name WAN-LAN rule 1 log 'enable'
set firewall name WAN-LAN rule 1 description 'Drop GEOIP_BL'
This would make it possible to have just one rule instead of numerous rules like this one:
set firewall name WAN-LAN rule 1 source geoip country-code 'cn'
set firewall name WAN-LAN rule 1 action 'drop'
set firewall name WAN-LAN rule 1 log 'enable'
set firewall name WAN-LAN rule 1 description 'Drop China from WAN'
Thank you for your feature suggestion regarding creating country code groups via GeoIP in VyOS 1.4. Your English is perfectly fine, so no need to apologize! If you have any more suggestions or feedback, please don’t hesitate to share them. We value your input.
As far as I know, We cant implement the GeoIP with ipset command on vyos 1.2/1.3. But on vyos 1.4, the iptables was switched to nftables. The ipset command has gone.
# set a firewall group
set firewall group network-group goeip_us
# Shell script to loop add the network ranges with ipset
for networks in `cat /config/usipranges.txt`; do sudo ipset add geoip_us $networks;done
the ipset to load the ip networks very fast.
The question is how to loop add network groups with ipset like command on vyos 1.4?
Maybe moving geoip to groups is better options or re-usage, because current implementation creates a set for every rule which uses geoip.
So, if we create n rules using the same geoip group, it will generate n sets, which will have different names but all have the same IPs.
HI @Viacheslav
I want to define a network group such as US_COUNTRY with all IPs in it. If the country defines as firewall rule, I can define a network group with PBR, Any plan to implement or can I do it with the NFT command to implement it by myself?
For my part, I created my account on https://vyos.dev/ more than a week ago to report a few things. Is it normal that it is still in “Wait for Approval” status? It’s Nyxtorm username as well.