GeoIP "GB_rep_v4.txt" list contains my domain ISP

johnpoz

@Cabledude Look in the feeds section of pfblocker, and create a alias you can use to block all the actual known "spammers" doesn't matter what country their IPs are in..

Again - this is not a very good choice of "name" for the list - its just a list of Geo IPs lists that you can choose from in your blocking of say email to your server. If you know you never want to get email from any IP from Russia or China for example.. Be it domainX.tld or domainY.tld

if the server was coming from a Russian IP and you had them selected in this top spammer list, you could block any IP in Russia from talking to your email server, even if was say a gmail.com server..

SteveITS

@johnpoz said in GeoIP "GB_rep_v4.txt" list contains my domain ISP:

this is not a very good choice of "name" for the list

That's a huge understatement then. :) I would never have guessed. I've never used it since when we supported on premises mail servers they went through our spam filter first anyway so we only allowed those IPs. But then that makes 3 ways to create geo lists, the other two being either by continent or by GeoIP format type on the IP 4/6 tabs.

FWIW the "rep" lists as I understand it are supposed to be as "represented," for instance an IP from a military base in another country would be "rep." https://dev.maxmind.com/geoip/whats-new-in-geoip2

Cabledude

@NogBadTheBad said in GeoIP "GB_rep_v4.txt" list contains my domain ISP:

Where. is the email coming from that is going to your home MailPlus server, from Voxility / your ISP or is it coming from various different locations?

Very good question. When this issue came up I was testing my MailPlus server. I was sending test emails from one of my other email addresses, which happen to have their mail server at the same ISP. Therefore, all test emails do in fact originate from that IP.
But once I'm out of the testing stage, email not sent by myself, but by others, will be coming from other random IP's, possibly all over the globe. And I don't want to block all of those.

Bottom line is I need to disable all GeoIP lists in order to be 100% sure to receive my emails.

johnpoz

@SteveITS yeah military base might be one example of _rep for a country.. Also say the IP range a Embassy is using might be another. My understanding of country_rep was that those IPs are IPs that are that country might not actually reside in that specific country borders geographically..

Cabledude

@johnpoz said in GeoIP "GB_rep_v4.txt" list contains my domain ISP:

Again - this is not a very good choice of "name" for the list - its just a list of Geo IPs lists that you can choose from in your blocking of say email to your server. If you know you never want to get email from any IP from Russia or China for example.. Be it domainX.tld or domainY.tld

if the server was coming from a Russian IP and you had them selected in this top spammer list, you could block any IP in Russia from talking to your email server, even if was say a gmail.com server..

Right. The question then is whether or not I can be 100% sure I never want to receive email from those countries. Let's take China. I don't know anyone in China so I could GeoIP block all of China. But what if I'm in a discussion with Synology HQ in Taiwan and they send me an email which gets routed through a chain of Chinese Mail Server hops? If the final hop is still in China I won't get that email delivered.

SteveITS

@Cabledude said in GeoIP "GB_rep_v4.txt" list contains my domain ISP:

I need to disable all GeoIP lists in order to be 100% sure to receive my emails

Yes, unfortunately, at least for port 25. Or as I alluded to above, if you use a third party spam filter you only need to allow the spam filter's IPs on your end.

What you probably want are the pfB feeds for Spamhaus, and maybe HoneyPot_Spam and/or the MAIL feeds. (have not used any except Spamhaus (E)DROP)

Cabledude

@SteveITS Yes indeed.
[Edit]
I already have PRI1 enabled which contains Spamhaus_Drop and Spamhaus_eDrop.

[Edit]
However in this (older) topic on Reddit BBcan177 states that he prefers to add those lists to the mail server itself, not to pfSense:
Quote:
BBCan177
3 yr. ago
Dev of pfBlockerNG
In pfBlockerNG-devel, there is a Feeds Tab that has a MAIL IP Group that could help reduce spam.
Would highly recommend adding Spamhaus Zen to your mail server. These are to be used in the Mail server (not pfBlockerNG):
https://www.spamhaus.org/zen/
They also have a Reverse DBL list:
https://www.spamhaus.org/dbl/
This is a good source for other DNSRBL Feeds:
http://multirbl.valli.org/

Cabledude

@johnpoz said in GeoIP "GB_rep_v4.txt" list contains my domain ISP:

Again - this is not a very good choice of "name" for the list - its just a list of Geo IPs lists that you can choose from in your blocking of say email to your server. If you know you never want to get email from any IP from Russia or China for example.. Be it domainX.tld or domainY.tld

Well I wanted to be sure so I looked up a random website in Brazil:

Non-authoritative answer:
brasilescola.uol.com.br canonical name = salsa.uol.com.br.
Name: salsa.uol.com.br
Address: 200.147.36.53

This IP is not in the BR list. So the lists certainly don't have a countrywide coverage.

johnpoz

@Cabledude said in GeoIP "GB_rep_v4.txt" list contains my domain ISP:

200.147.36.53

now sure where your looking but that is clearly listed as being in BR.

So max mind shows it

https://www.maxmind.com/en/geoip-demo

You can also use ip info as a check
https://ipinfo.io/

I then created a br alias, and ran an update and then looked in the table.

Maybe your confused by it in a /14 that includes that IP.

200.144.0.0/14 would be all of these addresses = 200.144.0.0 - 200.147.255.255

So yes 200.147.36.53 is included

JonathanLee

You could call your ISP and let them know you need a new IP because your on the blacklist...

Cabledude

@johnpoz said in GeoIP "GB_rep_v4.txt" list contains my domain ISP:

Maybe your confused by it in a /14 that includes that IP.

200.144.0.0/14 would be all of these addresses = 200.144.0.0 - 200.147.255.255

Yup that is where I went bad. Thank you for clearing that up.
So the Maxmind BR list does in fact contain this arbitrary test IP and very likely most if not all IP's in Brazil.

I was still wondering what the use of these GeoIP lists could be now that it turns out certainly not to be for malicious IP blocking. Then I noticed coincidentally that NtopNG also has a Maxmind GeoIP option, used to visualize the source (coordinates) of logged IP's. So in that use case it's even required to have the database cover the entire country or region.

Cabledude

@JonathanLee said in GeoIP "GB_rep_v4.txt" list contains my domain ISP:

You could call your ISP and let them know you need a new IP because your on the blacklist...

Thanks for your reply Jonathan, however above in this topic it is discussed that the Maxmind GeoIP database turns out not to be a blacklist but an all inclusive country IP list, despite the "top spammers" naming.

Bob.Dig

@Cabledude You could use GeoIP for blocking traffic from maybe China. Or allow only your home country to access your own VPN. Endless possibilities...

JonathanLee

@Cabledude yes Palo Alto firewalls does the same thing, they have full country blocks but it's not under the a spamer branding nameplate. That seems weird to brand it as top spammers. They have a full blocks of IP addresses that are assigned to specific countries. It's weird it's branded as top spammers. I had my android phone end up on a Spamhaus list I just contacted their help desk and they helped me resolve the issue.

johnpoz

@Cabledude said in GeoIP "GB_rep_v4.txt" list contains my domain ISP:

I was still wondering what the use of these GeoIP lists

All of them, or ones you create? Those built in ones where you can edit a few to be on or off the list that has all countries in a specific region of the world? I really see no point to those to be honest.

But what is handy with geoip based lists is when you create your own that are allow vs block. I guess you could edit one of those lists, say for me the north america one.. To just include the countries I would want to allow, but the list is still large for all I want to allow is US..

I use geoip list to allow access to my vpn, my plex.. None of my users would be anywhere outside the US, if they are going to travel then they need to let me know so I can add the country they are in to the allow list.

For my plex I currently have family member living in Morocco, so that list has US and Morocco Allowed.. If your coming from france, mexico, China, etc.. then your not accessing my plex server. Ie any IP that is not from US or Morocco is not allowed in the forward to my plex.

You could block the world if you would, but allow list is almost always shorter than block - so just allow what you want, anything that is not specifically allowed is blocked anyway.

Why would you create a list that includes every IP that is not in the UK? When its easier simpler and a much shorter list to just pick the IPs that are in the UK and allow those, vs blocking every other IP.

SteveITS

@Cabledude said in GeoIP "GB_rep_v4.txt" list contains my domain ISP:

Would highly recommend adding Spamhaus Zen to your mail server. These are to be used in the Mail server (not pfBlockerNG):

Zen is completely different from DROP. https://www.spamhaus.org/zen/
Traditionally a reverse block list looks up the sending IP to see if it's in the list and if so rejects the message, and the sending server can return the error code to the sender. The policy list for example contains residential DHCP addresses identified by their ISP as not allowed to be a mail server. A web site likely wouldn't want to block all residential IPs.

"The Spamhaus DROP (Don't Route Or Peer) lists are advisory "drop all traffic" lists, consisting of netblocks that are "hijacked" or leased by professional spam or cyber-crime operations (used for dissemination of malware, trojan downloaders, botnet controllers). The DROP lists are a tiny subset of the SBL, designed for use by firewalls and routing equipment to filter out the malicious traffic from these netblocks."

Cabledude

@johnpoz said in GeoIP "GB_rep_v4.txt" list contains my domain ISP:

But what is handy with geoip based lists is when you create your own that are allow vs block. I guess you could edit one of those lists, say for me the north america one.. To just include the countries I would want to allow, but the list is still large for all I want to allow is US..

I use geoip list to allow access to my vpn, my plex.. None of my users would be anywhere outside the US, if they are going to travel then they need to let me know so I can add the country they are in to the allow list.

Thank you for your explanations. Yes I understand Allow some is better than block all but some.

So just to be clear how you implement this... I assume you:

1. go to pfBlocker -> IP -> GeoIP -> North America

2. Edit (pencil on right)

3. Click United States US and US_rep and hit Save
   

4. Select "Alias Permit" which according to the pfB info "'Alias' rules create an alias for the list (and do nothing else)."
   

5. Reload -> IP

6. Go to Firewall -> Aliases and check that the list is there
   

7. Go to Firewall -> Rules, select your (V)LAN and create new rule

8. Use the alias to block or allow
   

Or did you mean something entirely different?

SteveITS

@Cabledude Just to note it, Alias Permit is to allow traffic. IIRC pfB does require a port selection for that, rather than opening all of WAN.

If you just want your own rules I use Alias Native which just creates an alias. No need to worry if the deduplication setting will strip out anything, and allows finer control over rule ordering.

Cabledude

@SteveITS Thank you Steve. So I gather that apart from the Alias options (Permit vs Native etc.) the steps I laid out are accurate?

Just for learning purposes I created two Aliases:

1. North America US + US_rep / Alias Permit
2. Africa MW (Malawi) / Alias Native

I see no difference in the Firewall / Aliases / URL's tab:

Therefore I still don't quite understand what you just wrote about deduplication / strip / finer control over rule ordering.

Care to elaborate? Please be patient I am completely new to this method of building rules with Alias lists.

Thanks!
Pete

johnpoz

@Cabledude said in GeoIP "GB_rep_v4.txt" list contains my domain ISP:

Select "Alias Permit" which according to the pfB info "'Alias' rules create an alias for the list (and do nothing else)."

No that is not what "I" do - I just use pfblocker to create native lists.. I then use those lists in my firewall rules or forwards. Nor do I edit the built in regions.

I just create my own aliases..

Here for example is the one for my plex.

Those other lists in the alias are the status cake IPs and UPtime robot IPs and plex IPs that check if your server is available remotely. These IPs might not just be in the US.. They could be IPs from really anywhere.. So they need to be included to be able to talk to my plex if I want to show that it is online for my monitoring - I get an alert from from status cake or uptime robot if it can not talk to my plex server. The us and morocco geoip base lists make sure that my users can talk to my plex, as long as they are coming from IPs in those lists.. If one of my users decided to take a trip to canada or germany - they would be out of luck unless they let me know, so I could add those where they are at to the list.

I also do use some lists for blocking, but they are not geoip based. Stupid scanning services.. Digital Ocean, Shodan, strechoid, etc. DO - nothing good is ever going to come from there ;) That scan deny list is high up on my rules..

pfblocker is a very powerful tool - I barely scratch the surface of what it can actually do. But I currently don't have desire to use its other features. But I for sure use it, how you use it is up to you.. But its great for creating aliases be they asn based, list based, geoIP based, etc. etc..