@tross9 said in maxmind -- do i need it for mysite?:
Outside the U.S. thus allowing outside the U.S. to possibly gain access. but I think that is Highly unlikely, only possible if a company goes out of business and their IP is sold.
No that is not true at all - IPs are exchanged all the time.. Company does not have to go out of business. We recently sold off some IPs out of your /16, those IPs are now outside the US.
What if company X has locations in countries A B and C.. And now is using some of their IP space in B vs A, etc.
Geoip data is updated all the time. While it at first entry might just use the companies HQ that is in country X, at some point they determine that IP range xyz while owned by company in country A, is actually used in country B, etc..
Lets be clear - the geoip database is a lets call it best guess at best ;)
But if your concerned with only allowing IPs from XYZ via geoip data. Then it behooves you to make sure list of IPs your using is current. A maxmind account is free, while the data might not be perfect.. Using the current data is going to be more accurate then using old data.
Even using the best and latest to the minute geoip data doesn't mean its correct.. If you are concerned with who can access your resource you have opened to the public. The best solution is to use their IPs, and only allow those.
While I understand that can become problematic - especially with users that have no idea IP even is ;) If your concerned - get them to setup a ddns for their connection. Then use that ddns for your alias and only allow that.
I do this for my son's connection. I manage his network remotely via his unifi devices (router and ap) being part of my controller... For that to happen they need to talk to my controller. I sure and the hell would not open my controller to the public internet, even I could limit the IPs to be on his block ;) let alone his city or country.. So I setup to only allow his IP, which sure changes now and then. So I use his ddns in the alias..
[image: 1607006745924-iplist.png]
But for example my plex server - my users access this not only from their homes, but from their mobile devices.. It not really possible to know for sure what IP they might come from.. But I sure do not want to open that up to the whole internet. So I lock it down to only the countries they should be coming from.. So I use the listings for those.. Currently only US, but a buddies son was working in Honduras for a while - and so it was allowing US and Honduras, etc..
The geoip listings can be useful.. But if the data is dated, its going to be less useful than current data.
If my friends and family were more tech savy I would lock down their plex server access to only vpn access. But that is a pipe dream to expect normal users how to do that, and sure and the hell not going to spend the time to manage all of their devices and networks to use vpn to access my network. So I do atleast something to limit who can access my plex server. Be it far from perfect or optimally secure setup, etc.
edit: Here I ran across this just a bit ago in my browsing.. This is perfect example of how things get messed up with geoip dbs
https://www.reddit.com/r/networking/comments/k61a5j/geolocation_issue/
The NL company has a location in the US, they got a line in the US and IP from the isp - but for some reason this ip is showing from the NL for geoip, etc..
This sort of thing happens all the time - and yes it can be a real pain the ass to get corrected.. I had a /24 from our /16 that was showing up as being from vietnam... Tried for months to get it corrected.. That IP range had never been used in vietnam, and clearly anyone doing a simple traceroute could see it was in florida..
It was causing issues with users accessing some stuff that was doing geoip filtering, like banks and stuff..
Just more example of why if you want to do geoip filtering, there will be mistakes in the db. And you should use current a db as possible.
