geoip-shell icon indicating copy to clipboard operation
geoip-shell copied to clipboard
verified publisher icon friendly-bits

geoip-shell geoblocks ICMP pings

Open mweissdigchg opened this issue 2 months ago • 2 comments

I have geoblocking only active for tcp ports 43821. But it also blocks ICMP pings not comming from AT.

geoip-shell v0.7.6 status:

Firewall backend: nftables
IP lists source: maxmind
Geoblocking rules applied to network interfaces: br0
nftables sets optimization policy: performance
LAN subnets automatic detection: Off

Cron system service: ✔
Update cron job: ✔
Update schedule: '10 4 * * *'
Last successful update: Nov-26-2025 09:43:41
Persistence cron job: ✔
Automatic backup of IP lists: On

inbound geoblocking:
  Mode: whitelist
  Country codes: AT ✔
  IP families: ipv4 ✔

  Allowed IPs (includes link-local IPs, trusted IPs, LAN IPs):
  ipv4: 10.0.0.0/8 100.64.0.0/10 169.254.0.0/16 192.168.0.0/24

  Protocols:
  tcp: Geoblocking only destination ports 43821
  udp: *Geoblocking inactive*

  Geoblocking firewall chain: enabled ✔
  whitelist blocking rule: ✔

outbound geoblocking:
  Mode: disable

No problems detected.

mweissdigchg avatar Nov 26 '25 09:11 mweissdigchg

Hi, thanks for reporting this.

What do you think would be the best way to address this issue? Allowing all ICMP packets through the geoblocking filter?

Or adding ICMP to configurable protocols, as implemented with TCP and UDP? Of course, ICMP has no ports, so the command would look like geoip-shell configure -p icmp:allow or geoip-shell configure -p icmp:block. Technically, it is possible to implement granular rules to geoblock or allow certain ICMP types but I don't think that this would be useful.

friendly-bits avatar Nov 26 '25 16:11 friendly-bits

Yeah, simply allowing or blocking ICMP would be great. I assume this would be allowed globally then? Or could the following scenario then also be solved: My servers where geoip-shell is running on are located in DE. I am in AT. I want my SSH port (tcp:allow:<port>) only to be reachable from AT. But for health checks my servers must be able to ping each other (DE to DE). But as there is only one country list I guess this would not be possible?

mweissdigchg avatar Nov 27 '25 07:11 mweissdigchg

This feature is implemented in current main branch. Could you test and confirm?

To download and extract this pre-release version, use the commands:

curl -L "https://api.github.com/repos/friendly-bits/geoip-shell/tarball/24ca804bddb51b9a1ca518905690c3887b1b2c6a" > geoip-shell.tar.gz
tar -zxvf geoip-shell.tar.gz

I assume this would be allowed globally then?

I'm not sure what you mean by 'globally' but this option, as currently implemented, makes ICMP traffic bypass the geoblocking filter following the command geoip-shell configure -p icmp:allow (by default for inbound traffic, or if the -D option is used then for specified direction).

My servers where geoip-shell is running on are located in DE. I am in AT. I want my SSH port (tcp:allow:) only to be reachable from AT. But for health checks my servers must be able to ping each other (DE to DE). But as there is only one country list I guess this would not be possible?

You can not both block and not block DE. What you can do is:

  • allow ICMP
  • and/or add your other servers' IP addresses to trusted addresses with `geoip-shell configure -t "<[ip] [ip] ...>"
  • and/or do the same via the local allowlist feature, as explained in the README

friendly-bits avatar Dec 05 '25 21:12 friendly-bits