Country vs Registered country
-
@nogbadthebad said in Country vs Registered country:
Maxmind don't know what's used where ?
Not right away that is for sure - we sold off some of our /16 space while back, and it was now being used in the middle east vs the US.. And it did take a while for that info to get updated. To be honest I would have to check - maybe its still wrong ;)
-
@johnpoz said in Country vs Registered country:
@nogbadthebad said in Country vs Registered country:
Maxmind don't know what's used where ?
Not right away that is for sure - we sold off some of our /16 space while back, and it was now being used in the middle east vs the US.. And it did take a while for that info to get updated. To be honest I would have to check - maybe its still wrong ;)
Indeed I used to work for a company that had xx.0.0.0/8 and now some of it is used by Microsoft.
-
@nogbadthebad I just checked, and the first range that was sold is updated to the new company and country looks correct from what I remember being told where the IPs were going to be used just in conversation when the sale was taking place.
But it was sold if in multiple different size blocks, so would have to check some other ranges to see if they are all up to date.
While in general - I think a really good attempt is made to be correct.. But there are always going to be inconsistencies to be found
-
@pierr0t said in Country vs Registered country:
Now on my pfblockerNG, as I said I blocked the whole world by doing "Deny both" on absolutely all the 9 lines in GeoIP summary and then I unchecked just France + France_rep (in Europa) and USA + USA_rep (in North America) to allow these 2 countries ... result is weird: without my VPN I can access my server behind the firewall, if I activate my VPN, I cannot access anything if I choose a french location, a US location, a swiss location but if I choose the irish location, I am back accessing the server ...
Don't block the whole world using pfBlocker alias, create a rule to deny all and above create a rule to allow what you want using a pfBlocker alias.
If you deny all with a pfblocker alias you'll have a massive alias that every packet will need to traverse.
-
Hello,
Well it seems that Maxmind does know pretty well, I tested a lot of the IP's provided by the Mulvad VPN and Maxmind is always returning the proper "country" (ie "country" shows the country where Mulvad pretends to be for that IP and a site like iplocation.net does as well), but Maxmind does also return the "registered_country" which seems to be where the IP was originaly purchased and there is also (but not always) a "represented_country" (used when the IP address belongs to something like a military base) ...
But to summarize, I think that pfBlockerNG should use "country" and not "registered_country" to reflect where the IP is really used. In my case I had to authorize "Sweden" to be able to use an IP used in Zürich Switzerland.Pierre.
-
@pierr0t Care to share a few of the ip addresses you checked against?
-
For example the one I am currently using, Mulvad VPN Zürich Switzerland, this is the answer from GeoLite:
curl -u "xxxxxxx:xxxxxxxxx" \ "https://geolite.info/geoip/v2.1/country/193.32.127.221?pretty" { "continent": { "code": "EU", "geoname_id": 6255148, "names": { "ru": "Европа", "zh-CN": "欧洲", "de": "Europa", "en": "Europe", "es": "Europa", "fr": "Europe", "ja": "ヨーロッパ", "pt-BR": "Europa" } }, "country": { "iso_code": "CH", "geoname_id": 2658434, "names": { "pt-BR": "Suíça", "ru": "Швейцария", "zh-CN": "瑞士", "de": "Schweiz", "en": "Switzerland", "es": "Suiza", "fr": "Suisse", "ja": "スイス連邦" } }, "registered_country": { "is_in_european_union": true, "iso_code": "SE", "geoname_id": 2661886, "names": { "ja": "スウェーデン王国", "pt-BR": "Suécia", "ru": "Швеция", "zh-CN": "瑞典", "de": "Schweden", "en": "Sweden", "es": "Suecia", "fr": "Suède" } }, "traits": { "ip_address": "193.32.127.221", "network": "193.32.127.0/24" } }%Mulvad tells me I am in Switzerland but I have to authorize Sweden to go through pfBlockerNG :-)
Pierre -
Regarding this specific remark (about denying all and just authorizing specific country): I know, I just have to do it ... but it's a very low traffic firewall so I'm in no hurry ...
Pierre.
-
andyk@mac-pro ~ % whois 193.32.127.221 % IANA WHOIS server % for more information on IANA, visit http://www.iana.org % This query returned 1 object refer: whois.ripe.net inetnum: 193.0.0.0 - 193.255.255.255 organisation: RIPE NCC status: ALLOCATED whois: whois.ripe.net changed: 1993-05 source: IANA # whois.ripe.net inetnum: 193.32.127.0 - 193.32.127.255 netname: NET-31173-193-32-127 country: CH geoloc: 47.3631 8.5414 language: de descr: 31173 Services AB infrastructure in Zurich, Switzerland. org: ORG-SS1087-RIPE admin-c: SS36127-RIPE tech-c: SS36127-RIPE abuse-c: SS36127-RIPE status: ASSIGNED PA mnt-by: ESAB-MNT created: 2020-05-04T09:36:06Z last-modified: 2020-05-05T11:40:13Z source: RIPE organisation: ORG-SS1087-RIPE org-name: 31173 Services Switzerland org-type: OTHER geoloc: 47.3631 8.5414 language: de address: 31173 Services AB address: c/o Interxion address: S?gereistrasse 35 address: Glattbrugg address: 8152 Opfikon address: Switzerland admin-c: SS36127-RIPE tech-c: SS36127-RIPE mnt-by: ESAB-MNT mnt-ref: ESAB-MNT created: 2020-05-04T09:00:26Z last-modified: 2020-05-05T11:29:32Z source: RIPE # Filtered role: 31173 Services Switzerland address: 31173 Services AB address: c/o Interxion address: S?gereistrasse 35 address: Glattbrugg address: 8152 Opfikon address: Switzerland abuse-mailbox: abuse-cust-ch@31173.se admin-c: NEMO1-RIPE tech-c: KPE-RIPE nic-hdl: SS36127-RIPE mnt-by: ESAB-MNT created: 2020-05-04T08:48:30Z last-modified: 2020-05-04T08:48:30Z source: RIPE # Filtered % Information related to '193.32.127.0/24AS39351' route: 193.32.127.0/24 origin: AS39351 mnt-by: ESAB-MNT created: 2019-11-03T16:35:41Z last-modified: 2020-05-04T09:37:52Z source: RIPE % This query was served by the RIPE Database Query Service version 1.106.1 (ABERDEEN) andyk@mac-pro ~ %Go here and pop in the IP address or AS number:-
https://hackertarget.com/as-ip-lookup/
The whois reports Services AB infrastructure in Zurich, Switzerland and the IP/ASN reports ESAB-AS, SE.
When you do the AS number it reports 193.32.127.0/24 as belonging to ESAB-AS, SE to the right.
Looks to me like its a Swedish company hosting a server in Switzerland.
-
Yes exactly, IP is being used in Switzerland but was purchased in Sweden (Mulvad being a swedish company).
Maxmind reports it properly, the question is how does pBlockerNG use that info, for me it should use the "country" info instead of the "registered_country" info ... but I guess that only the author of pfBlockerNG could tell me if my diagnostic is true or not.
Pierre
-
@pierr0t If BBCan177 doesn't find this thread you could create a bug/feature request at redmine.pfsense.org. If it's not a bug, possibly it could be added as a separate list like "rep" is separate, although it would basically double the size of the existing "all IPs in ___" list if they are listed twice and people allow two. A bit more flexible but more confusing.
IOW does the Swedish company just happen to put their servers in a data center in Switzerland and they are using it? Is a particular block from an ISP that works across borders? Many possibilities.
Allowing your own IP is a bit easier...can be done for one, if you create a dynamic DNS hostname and allow the hostname.
-
@nogbadthebad You could maybe use the providers ASN number, they only use 4 providers in Switzerland:-
-
Yes but at the same time, it's not really me, it's pfBlockerNG ... I understand I could create rules using the ASN but if I use pfBlockerNG it would be nice if they were using "country" instead of "registered_country" ... Anyway I will try to open a feature request/bug as suggested by @SteveITS :-)
Thks.
Pierre -
-
Interesting, yes that would allow me to use all Mulvad's IP's to go through the firewall, thanks.
I did a feature request here: https://redmine.pfsense.org/issues/14324
Pierre
