Country vs Registered country
-
Hello,
Well it seems that Maxmind does know pretty well, I tested a lot of the IP's provided by the Mulvad VPN and Maxmind is always returning the proper "country" (ie "country" shows the country where Mulvad pretends to be for that IP and a site like iplocation.net does as well), but Maxmind does also return the "registered_country" which seems to be where the IP was originaly purchased and there is also (but not always) a "represented_country" (used when the IP address belongs to something like a military base) ...
But to summarize, I think that pfBlockerNG should use "country" and not "registered_country" to reflect where the IP is really used. In my case I had to authorize "Sweden" to be able to use an IP used in Zürich Switzerland.Pierre.
-
@pierr0t Care to share a few of the ip addresses you checked against?
-
For example the one I am currently using, Mulvad VPN Zürich Switzerland, this is the answer from GeoLite:
curl -u "xxxxxxx:xxxxxxxxx" \ "https://geolite.info/geoip/v2.1/country/193.32.127.221?pretty" { "continent": { "code": "EU", "geoname_id": 6255148, "names": { "ru": "Европа", "zh-CN": "欧洲", "de": "Europa", "en": "Europe", "es": "Europa", "fr": "Europe", "ja": "ヨーロッパ", "pt-BR": "Europa" } }, "country": { "iso_code": "CH", "geoname_id": 2658434, "names": { "pt-BR": "Suíça", "ru": "Швейцария", "zh-CN": "瑞士", "de": "Schweiz", "en": "Switzerland", "es": "Suiza", "fr": "Suisse", "ja": "スイス連邦" } }, "registered_country": { "is_in_european_union": true, "iso_code": "SE", "geoname_id": 2661886, "names": { "ja": "スウェーデン王国", "pt-BR": "Suécia", "ru": "Швеция", "zh-CN": "瑞典", "de": "Schweden", "en": "Sweden", "es": "Suecia", "fr": "Suède" } }, "traits": { "ip_address": "193.32.127.221", "network": "193.32.127.0/24" } }%Mulvad tells me I am in Switzerland but I have to authorize Sweden to go through pfBlockerNG :-)
Pierre -
Regarding this specific remark (about denying all and just authorizing specific country): I know, I just have to do it ... but it's a very low traffic firewall so I'm in no hurry ...
Pierre.
-
andyk@mac-pro ~ % whois 193.32.127.221 % IANA WHOIS server % for more information on IANA, visit http://www.iana.org % This query returned 1 object refer: whois.ripe.net inetnum: 193.0.0.0 - 193.255.255.255 organisation: RIPE NCC status: ALLOCATED whois: whois.ripe.net changed: 1993-05 source: IANA # whois.ripe.net inetnum: 193.32.127.0 - 193.32.127.255 netname: NET-31173-193-32-127 country: CH geoloc: 47.3631 8.5414 language: de descr: 31173 Services AB infrastructure in Zurich, Switzerland. org: ORG-SS1087-RIPE admin-c: SS36127-RIPE tech-c: SS36127-RIPE abuse-c: SS36127-RIPE status: ASSIGNED PA mnt-by: ESAB-MNT created: 2020-05-04T09:36:06Z last-modified: 2020-05-05T11:40:13Z source: RIPE organisation: ORG-SS1087-RIPE org-name: 31173 Services Switzerland org-type: OTHER geoloc: 47.3631 8.5414 language: de address: 31173 Services AB address: c/o Interxion address: S?gereistrasse 35 address: Glattbrugg address: 8152 Opfikon address: Switzerland admin-c: SS36127-RIPE tech-c: SS36127-RIPE mnt-by: ESAB-MNT mnt-ref: ESAB-MNT created: 2020-05-04T09:00:26Z last-modified: 2020-05-05T11:29:32Z source: RIPE # Filtered role: 31173 Services Switzerland address: 31173 Services AB address: c/o Interxion address: S?gereistrasse 35 address: Glattbrugg address: 8152 Opfikon address: Switzerland abuse-mailbox: abuse-cust-ch@31173.se admin-c: NEMO1-RIPE tech-c: KPE-RIPE nic-hdl: SS36127-RIPE mnt-by: ESAB-MNT created: 2020-05-04T08:48:30Z last-modified: 2020-05-04T08:48:30Z source: RIPE # Filtered % Information related to '193.32.127.0/24AS39351' route: 193.32.127.0/24 origin: AS39351 mnt-by: ESAB-MNT created: 2019-11-03T16:35:41Z last-modified: 2020-05-04T09:37:52Z source: RIPE % This query was served by the RIPE Database Query Service version 1.106.1 (ABERDEEN) andyk@mac-pro ~ %Go here and pop in the IP address or AS number:-
https://hackertarget.com/as-ip-lookup/
The whois reports Services AB infrastructure in Zurich, Switzerland and the IP/ASN reports ESAB-AS, SE.
When you do the AS number it reports 193.32.127.0/24 as belonging to ESAB-AS, SE to the right.
Looks to me like its a Swedish company hosting a server in Switzerland.
-
Yes exactly, IP is being used in Switzerland but was purchased in Sweden (Mulvad being a swedish company).
Maxmind reports it properly, the question is how does pBlockerNG use that info, for me it should use the "country" info instead of the "registered_country" info ... but I guess that only the author of pfBlockerNG could tell me if my diagnostic is true or not.
Pierre
-
@pierr0t If BBCan177 doesn't find this thread you could create a bug/feature request at redmine.pfsense.org. If it's not a bug, possibly it could be added as a separate list like "rep" is separate, although it would basically double the size of the existing "all IPs in ___" list if they are listed twice and people allow two. A bit more flexible but more confusing.
IOW does the Swedish company just happen to put their servers in a data center in Switzerland and they are using it? Is a particular block from an ISP that works across borders? Many possibilities.
Allowing your own IP is a bit easier...can be done for one, if you create a dynamic DNS hostname and allow the hostname.
-
@nogbadthebad You could maybe use the providers ASN number, they only use 4 providers in Switzerland:-
-
Yes but at the same time, it's not really me, it's pfBlockerNG ... I understand I could create rules using the ASN but if I use pfBlockerNG it would be nice if they were using "country" instead of "registered_country" ... Anyway I will try to open a feature request/bug as suggested by @SteveITS :-)
Thks.
Pierre -
-
Interesting, yes that would allow me to use all Mulvad's IP's to go through the firewall, thanks.
I did a feature request here: https://redmine.pfsense.org/issues/14324
Pierre
