SMA GeoIP - not only for remote access
while investigating some ongoing issues on the SMA (500v) it seems it might be related to a suspicion I had in the past about the usage of GeoIP blocking. My GeoIP Blocking Status went from Active to Offline today which raised some concerns. It was back to Active right after reboot, accessing to smabgdata.global.sonicwall.com and geoipdata.global.sonicwall.com was always possible.
Along with most of the other Countries, I usually block the United States of America via GeoIP because I don't expect any remote access from it. But it seems that GeoIP is blocked on iptables level and not just mod_geoip for restricting access to the underlying httpd.
This does not have to be problem, but it seems it interferes with GeoIP, Botnet or License updates.
I would think that GeoIP blocking makes only sense on the iptables INPUT chain for new connections initiated from the Internet, but it may affect related packets on the FORWARD chain as well, which is a show stopper.
Let's check what the syslog shows:
Jan 30 11:15:09 xx.xx.xx.xx kernel: DROP_BY_IPTABLES c=1003 IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
SRC=18.104.22.168 DST=xx.xx.xx.xx LEN=40 TOS=0x00 PREC=0x00 TTL=49 ID=0 DF PROTO=TCP
SPT=443 DPT=54990 WINDOW=8192 RES=0x00
ACK URGP=0 time="2021-01-30 11:15:09" vp_time="2021-01-30 10:15:09 UTC"
The log on the SMA is giving me mixed signals about Allowing/Blocking connections.
It might be a surprise to some people, but blocking connections from the USofA is a legit measure of risk reduction.
It might be related with this as well:
Is this already addressed in some form? As a countercheck I'll (against my better knowledge) allow the USofA via GeoIP.