Geo blocking does not work for all IPs

GLaDER

I have pfBlockerNG setup to block inbound connections from everywhere, except NA and Europe, per the configuration below:

My intention is to block all incoming traffic from these geographical areas and only allow traffic from Europe and North America. I host a handful of services which I expose to the Internet using HA Proxy.

I have specified that the pfB-rules should be ordered such that they take affect before any other rules:

However, when I inspect my firewall log I see that inbound connections are passed from both Africa, Asia and South America (maybe Oceania too, my geography skills aren't excellent).

The image below shows Blocked traffic, in the upper map, and Passed traffic in the lower map:

Looking at the rules that are being triggered, everything seems to be in order. 1770009309 is the pfBlocker auto rule and the two 1663* rules are HA Proxy rules. (The 165* rule is internal (LAN -> FW).)

The block rule in action is the pfB_PRI1_v4 auto rule as seen below:

But if I look at my Pass rule for my HA Proxy instance, I can, for instance, see this:

Two calls originating in Brazil, that has been let through.

I use the MaxMind GeoIP database in pfSense and the visualisation above is done using Graylog (with the same MaxMind license).

Question: Can anyone help me understand what's going on here? I think I have configured everything correctly, but I still let through unwanted traffic.

Gertjan

@glader

I love the images, it shows something that you're not telling, but you know it already :
Many IP listed in these GEO lists are ..... not on the right list.

An explanation might be : there are no more free IPv4 left. For every 'available' IPv4 there is a financial dog fight, as they have become real investment objects. They change owner - and place, often. No one wants to update their 'location' as they might change any way. A spammer front Idia really want the IP to be localized in the US, for understandable reasons.
Btw : I belief most spam comes from : US and Europe ...

Conclusion : the quality of these GEO IP list is ..... no what it is used to be.
And still going downwards.

GLaDER

@gertjan thanks for your reply.

I do understand that the Geo IP Lists might not be correct, but I don't understand why pfBlockerNG (using MaxMind) believes that an IP comes from somewhere but Graylog believe the IP comes from somewhere else. I'm using the same database for the rule and the visualisation, I hope.

If an Indian IP was wrongly classified as a European one, I'd expect to have Indian IPs showing up as European ones, and I would be none the wiser. But that's not what I'm seeing above. I see IPs classified as Indian, but they are still let through the filter.

Edit: Or, wait, are you saying that blocking is done depending on the list the IP belongs to and not the location where the coordinates for the IP are? That seems, not superb...

Bob.Dig

@glader You are able to see for yourself, look it up, if it is in the list or not.

Gertjan

@glader said in Geo blocking does not work for all IPs:

depending on the list the IP belongs to

Exact.
IPs don't have a notion of 'position'.

There are lists like 'US' with all IPs (networks) know to be situated in 'US'. These are the GEOip lists. They are not up to date / accurate.

GLaDER

@gertjan hm, sorry for not quite dropping this yet, but....

In Graylog I have a pipeline that use the MaxMind database to add location data to my logs, using the following rule:

rule "GeoIP lookup: SourceIP"
when
  contains(to_string($message.DestIP), "<my WAN IP>")
then
  let geo = lookup("geoip", to_string($message.SourceIP));
  set_field("src_ip_geo_location", geo["coordinates"]);
  set_field("src_ip_geo_country", geo["countr"].iso_code);
  set_field("src_ip_geo_city", geo["city"].names.en);
end

The geo["coordinates"] is ultimately what is shown in the map (that I showed in my original post). Do you have any idea about where this information come from? Again, since I use the MaxMind database both in pfSense and in Graylog, I would expect that both tools would be able to derive the same information.

If Graylog can correctly (at least more correctly) classify the IPs, why does not pfBlockerNG do the same?

jdeloach

@glader

Sounds like you should ask the question to the maintainer of the pfBlockerNG list, @BBcan177 , since he is the one that chose to use MaxMind.

GLaDER

@jdeloach thanks for pointing me in the right direction :)

Cool_Corona

Where did you find the map view??