Consider a GeoIP package allowing for firewall filtering by Country
I'm against that. It is completely useless, and it tends to racism.
lmao, oh god, political correctness has now extended to routers.....
There are very good reasons for country blocking, first and foremost is for many people there's absolutely zero need to allow ANY kind of incoming traffic from overseas. All of our routers i'd absolutely like to do a simple chain=input src-country!=Australia action=drop. There's absolutely zero need for anyone in any other country to have any kind of input to our routers, except maybe ICMP. I'm not peering directly overseas, nobody will ever need to login or establish VPN's from overseas etc
Ideally this would pull data periodically from a central MikroTik server similar to DDNS which would make it more effective than just using fixed address-lists
That's a very simple and effective rule that would drastically reduce any vulnerabilities whilst simplifying management. If you feel thats racist well.... thats your problem
My first claim is that it is useless. And I will explain that:
You have not defined what "the country of an IP address" is, and neither has the internet.
Do you want it to refer to the physical location of the system having that address, the citizensship of the owner of that system, or its network? Or of the system's user?
E.g. when you think "I only want to receive mail from people in Australia so I will block all mail from servers in other countries" but that will fail because people in Australia might (even unknown to themselves) have their mail server located in another country.
Similar for websites. "I want my users only to see websites from Australia" might look easy to do with such a list, but it isn't. The list will not refer to the content of the site, nor to the owner/operator of that site, but (at best) only to the physical location of the server. Which errs in both directions: reputable Australian sites may be hosted overseas, and overseas phishers/hackers might have their site physically located in Australia.
I don't know the situation in Australia, but here in the Netherlands we have MANY MANY networks that lookup as "country=NL" but really are operated by rogue hosters from anywhere in the world. So limiting my router logins to "only from NL" really brings me nothing but a false sense of security, as those ongoing portscans from the many foreign VPSes hosted in local datacenters here will just go through.
Furthermore, anyone can use a VPN (in the newfangled meaning) to have a source IP address in any country they desire.
And when you operate on a mobile network provided by a company that originates from outside of your country, it may well be that your external IP address is registered in another country too. Maybe not in Australia (due to its isolated topology), but certainly in other places.
Then, making something like this available as a standard feature where every operator can just click some selection list (even without knowing all of the above) is certainly not a good thing, in my opinion. But you can differ on that.
Firewall filtering is something that has to happen on-the-fly so it has to use locally stored tables. However, services like a login or VPN connect could to an external query to determine parameters of the source IP address, and use the result to accept or reject the connection.
There are DNS-based country lookup services (you query a name like 1.2.3.4.somedomain.example.com for a TXT record and you get a reply with the AS number and country code of the specified address.
Maybe it would be good when login procedures would be able to do such queries (or allow calling a script where such customized queries can be made).
That would still have the disadvantages listed above, though.