Country block lists are indeed a thing. I use them

In reply to a post by DFScale:

Not possible to use a firewall to bock by country. The internet is not organised in that way.

Oh no! Better stop doing that then.

In reply to a post by nofappingway:

Country block lists are indeed a thing. I use them

So when I’m at work, in an office in central London, my internet appears to be from the USA. The internet connection routes into LINX at Telehouse, but the IP address is owned by our head office in US. Too many websites (including Google maps) think we are in the USA, and others deny access.

Geo-IP is mostly a guessing game

It is indeed imperfect......but it stops over 99% of the noise from bad actors in 'those countries'

Infected computers on broadband… it just about helps. Email industry decided to “very low score” all broadband IPs to try and solve one problem.

In reply to a post by nofappingway:

Country block lists are indeed a thing. I use them

They might exist and you might use them. But it is still not possible to use a firewall to bock by country. The internet is not organised in that way.

You are just using some snake oil with no idea of your false positives and false negatives.

The draytek can easily block by country,

https://www.draytek.co.uk/support/guides/kb-firewall...

In reply to a post by andew:

The draytek can easily block by country,

https://www.draytek.co.uk/support/guides/kb-firewall...

Well, yes, it is easy to set up. But the internet is not organised by country, so it cannot be fully doing what it purports to do. Plus, with VPN's, you can choose to have your traffic appear to come from anywhere in the world you choose. It's delusion, firstly that the country blocklist is even relatively free of false positives and negatives and secondly that an IP address for a whitelisted country is not a VPN front for a blacklisted country.

It is false comfort.

It isn't false comfort. By blocking by "country" you are able to exclude a large percentage of hackers from Russia and China. Some will still get in. Some people in allowed countries will not be able to access. But, as a blunt tool it can help in giving a level of protection that is probably about 80-90% accurate.

I have done a similar configuration in the past, but to a rpi instead of a NAS.

80 and 443 redirect to the rpi, and my 2925's web interface is on 8080.

Used NAT | Open Ports and had an entry for 80 TCP/UPD to the static IP of the rpi
WAN interface: WAN1
Source IP: Any

repeated for 443