Firewall Rules - GeoIP don't Work

marcionunes · October 17, 2019, 6:20pm

Hello,

We have big problem with firewall rules.
All request mach work, but not GeoIP.

Rule to allow access URI wp-admin or wp-login.php when country is in Brazil, after other rule with denied access to wp-login and wp-admin for all countries does not equal Brazil
In overview, I can see allow for any countries.

If create first rules for denied access to country “is not in” or “does not equal” Brazil (try 2 machs), the access is denied for all countries, but to Brazil too.

My account have actived GeoIP.

Can help, please?

sandro · October 17, 2019, 6:21pm

Can you post screenshots of your firewall rule list plus of the individual rules?

marcionunes · October 17, 2019, 6:30pm

I edited 2nd rule without specific country for block.
Still not working.

marcionunes · October 17, 2019, 6:32pm

marcionunes · October 17, 2019, 6:33pm

marcionunes · October 17, 2019, 6:34pm

This log is recent. Here I can see access from Ukraine, Russian, etc

sandro · October 17, 2019, 6:34pm

The first rule will basically allow all requests for *wp-login.php*. Furthermore it will allow all requests for *wp-admin* which orignate from Brazil. Is this what you wanted?

sandro · October 17, 2019, 6:35pm

Sure, because you first rule explicitly allows that.

So what is it you want? Block these URLs for all countries except Brazil?

marcionunes · October 17, 2019, 6:35pm

Yes, that’s it.
The main thing is to deny from other countries

marcionunes · October 17, 2019, 6:38pm

Sorry, my first rule explicitly allows wp-admin and wp-login ONLY from Brazil

sandro · October 17, 2019, 6:39pm

It does not I am afraid. Your logical operators are wrong.

You are probably after

(http.request.uri.path eq "/wp-login.php" or http.request.uri.path contains "wp-admin") and ip.geoip.country ne "BR"

then block.

marcionunes · October 17, 2019, 6:40pm

How fix?

sandro · October 17, 2019, 6:40pm

Ehm, precisely what I already wrote.

marcionunes · October 17, 2019, 6:42pm

My first rule already is
(http.request.uri.path eq “/wp-login.php” or http.request.uri.path contains “wp-admin”) and ip.geoip.country ne “BR” (Allow)
2nd rule
(http.request.uri contains “wp-login.php”) or (http.request.uri contains “wp-admin”) (Block)

Why any country have access?

sandro · October 17, 2019, 6:43pm

No, your first rule is not anything like this.

Drop your first and second rule and create one only with the expression I posted above.

marcionunes · October 17, 2019, 6:47pm

Change rule, now just this:
(http.request.uri contains “wp-login.php”) or (http.request.uri contains “wp-admin” and ip.geoip.country ne “BR”)

and, denied access from Brazil!

sandro · October 17, 2019, 6:48pm

Again, that is not the rule I posted. Not even remotely.

marcionunes · October 17, 2019, 6:48pm

My server is in Germany, but it is whitelisted already.

sandro · October 17, 2019, 6:51pm

As long as you dont implement the rule properly you wont get it to work

portalviu · October 17, 2019, 7:21pm

Using
(http.request.uri.path eq “/wp-login.php” or http.request.uri.path contains “wp-admin”) and ip.geoip.country ne “BR”

and denied access from Brazil

(Sorry my user is blocked for new replys for 23 users)