pfBlockerNG - GeoIP "Allow USA" doesn't match some IPs
-
I have an explicit deny at the end of my rules, plus an "Allow USA" rule right above it based on a custom IPv4 GeoIP list.
It generally works, but many USA addresses are not matched by my pfBlockerNG list and rule.
It is typically various random CDN servers like Microsoft, Google, CloudFlare, etc.
It seems so straightforward to me... there must be something I don't understand about how to properly create a GeoIP list like this.
-
Here's another example - Google in the US doesn't match my rule allowing GeoIP US list.
-
@ctarbet this gets asked from time to time. MaxMind I believe updates monthly? The big guys buy or move IP blocks from other countries. MS announced that like 10-15 years ago or so. Other than trying to get MaxMind to correct it not sure there’s much to be done.
-
@SteveITS I understand what you are saying, but the website says that they are US. Does pfBlocker Geo data lag behind what the MaxMind website shows?
I even get Apple ranges in there sometimes and they've owned their chunk forever.
Is there any way to see the contents of my USA GeoIP alias within pfSense?
Can I hard-delete whatever MaxMind stuff I have and redownload?
-
@ctarbet Diagnostics/Tables will list the alias contents.
Also ensure you don’t have deduplication enabled. That can have unexpected results sometimes.
-
@ctarbet Your block your showing is out of state.. See the FA, that is a Fin,Ack.. So yeah it would be blocked if the state has already been closed.. This has nothing to do with the IP not being in your allow list.
-
@johnpoz I'm not sure if all my problem packets are FA, but I'll delve into that.
Why does a packet in FA skip my allow rule, but hit my custom reject all rule? I can feel a potential knowledge gap on my part here and it will help me in general to understand that difference, thank you.
-
@ctarbet pfsense is a stateful firewall. states are created by SYN packets.. If there is no state to allow traffic, then it would be blocked.
