Country Settings

• Make sure not to block any countries where your server may be pulling yum or apt-get updates from otherwise yum or apt-get will fail when you try to grab any package updates.
• Country and ASN blocks apply to incoming connections only.

How to get a Maxmind License Key

  1. Signup for the free license key here.
  2. Generate a license key here (When asked - Will this key be used for geoipupdate? Choose: no)
  3. Navigate to Juggernaut Firewall -> Settings -> Country Settings and enter the license key under MaxMind license key.

Country Provider Settings

Country source - CC_SRC
The source for where CSF downloads its country databases.
Default: 1 (MaxMind)

MaxMind license key - MM_LICENSE_KEY
MaxMind requires you to create a free account on their site and to generate a license key to use their Geolite2 databases.
Default: empty

Country Settings

Deny countries to all ports - CC_DENY
Deny whole country or ASN CIDR ranges. The CIDR blocks are generated from the Maxmind GeoLite Country database http://dev.maxmind.com/geoip/legacy/geolite/ and entirely relies on that service being available.
Default: empty

Allow countries though all ports - CC_ALLOW
Allow whole country or ASN CIDR ranges. Warning: this option allows access through all ports in the firewall.
Default: empty

Only allow countries and filter - CC_ALLOW_FILTER
Only allow access from the following countries or ASN but still filter based on the port and packets rules. All other connections are dropped.
Default: empty

LFD blocking ignore countries - CC_IGNORE
Prevent the login failure daemon from blocking IP address hits for the following countries or ASNs. CC_LOOKUPS must me enabled to use this option.
Default: empty

Ignore CIDR blocks smaller than - CC_DROP_CIDR
Ignore CIDR blocks smaller than this value when implementing CC_DENY / CC_ALLOW / CC_ALLOW_FILTER. This can help reduce the number of CC entries and may improve iptables throughput. This will deny/allow fewer IP addresses depending on how small you configure the option. Set to None to block all CC IP addresses.
Default: empty

Ipv4 address lookups - CC_LOOKUPS
Display Country Code and Country for reported IP addresses. This option can be configured to use the MaxMind GeoLite Country database or the more detailed MaxMind GeoLite City database at http://dev.maxmind.com/geoip/legacy/geolite/
Default: 1 Range: 0-3

IPv6 address lookups - CC6_LOOKUPS
Display Country Code and Country for reported IPv6 addresses using the MaxMind Country IPv6 Database. This option must also be enabled to allow IPv6 support to CC_*, MESSENGER and PORTFLOOD.
Default: 0

Maxmind DB retrieval interval - CC_INTERVAL
How often the login failure daemon will retrieve the Maxmind GeoLite Country database for CC_ALLOW, CC_ALLOW_FILTER, CC_DENY, CC_IGNORE and CC_LOOKUPS (in days).
Default: 7 Range: 1-31

Allow Countries to Port Settings

Allow countries to ports - CC_ALLOW_PORTS
Allow access from the following countries or ASNs to specific ports listed in CC_ALLOW_PORTS_TCP and CC_ALLOW_PORTS_UDP
Default: empty

Allow countries to TCP ports - CC_ALLOW_PORTS_TCP
Allow access to the following TCP ports from the CC_ALLOW_PORTS countries. All listed ports should be removed from TCP_IN to block access from elsewhere.
Default: empty

Allow countries to UDP ports - CC_ALLOW_PORTS_UDP
Allow access to the following UDP ports from the CC_ALLOW_PORTS countries. All listed ports should be removed from UDP_IN to block access from elsewhere.
Default: empty

Deny Countries to Port Settings

Deny countries to ports - CC_DENY_PORTS
Deny access from the following countries or ASNs to specific ports listed in CC_DENY_PORTS_TCP and CC_DENY_PORTS_UDP
Default: empty

Deny countries to TCP ports - CC_DENY_PORTS_TCP
Deny access to the following TCP ports from the CC_DENY_PORTS countries. All listed ports should NOT be removed from TCP_IN.
Default: empty

Deny countries to UDP ports - CC_DENY_PORTS_UDP
Deny access to the following UDP ports from the CC_DENY_PORTS countries. All listed ports should NOT be removed from UDP_IN.
Default: empty