pfBlockerNG not blocking some foreign sites using geoip
-
I am using pfBlockerNG vs 3.2.0_7 on a netgate box with pfsense 23.05.1-RELEASE (arm).
I use GEOIP to only alias permit access to the 2 US and 2 CA selections -- nothing outside of those 4 items are permitted.
All of my rules refer to pfB_NAmerica_v4 and indeed most traffic is blocked from outside of the US.
However I still see some traffic coming from UK, BE, HK, BR -- here is some of the geoip log.
Am I not doing something wrong or is this common or do I need to do something else
here are some of my rules
thanks in advance for your help
-
@Willever where is the rule that would allow that traffic. I don't see any rules that would allow inbound traffic 443 or 80? Which from whatever it is you posted I take that is the destination port?
Do you have some rule on floating?
-
here is screenshot with most of the rules -- port 80 is contained in a group called Main PC Ports
-
@Willever You have a negative value there, maybe recreate that rule.
I would use VPN though.
-
I did recreate the rule and now it looks normal
I also used a norton VPN to connect to Australia and went to my web site and it shows in the log file as shown below
-
@Bob-Dig if it’s a 3100 that’s a known issue with the number wrapping to -2T because 32 bit. It was fixed somewhere along the line I thought. OP is a version behind .
And also I could be wrong but I thought _7 was for 23.09. OP do not upgrade packages for the wrong version; see my sig.
-
@Willever well that looks like that network 13.210.0.0/15 is included in your list..
And yeah its listed as being in the AU.
I don't use any of the pfblocker country lists like north america, etc. Not sure how some AU would of been added to that list.. I create my own lists.. I allow US for example..
But looking in my lists that has just US and US_reps in it.. And guess what, that is in there
I removed the US_reps listing and its gone - that IP range is owned by amazon.. Who is registered US company.. So maybe that is how that gets in there.
It is broken out and registered to specific.. But the overall company lists that as their IP.
The guy that could give us the real answer I would think would be @BBcan177
-
IPv4 blocks move around as they are bought and sold, IIRC MaxMind updates once a month.
Another thing that can cause unexpected results is that if pfB deduplication is on, and any pfB-generated deny rules are enabled, pfBlocker will dedupe the lists across all rules not just within a list. That's probably not explaining it well as I'm in the middle of something but it can unexpectedly remove IPs from one alias. There was a long thread a year or two ago give or take.
Solution/workaround for that is to turn off dedupe, or IIRC use Alias Native and make your own rules.
-
@SteveITS said in pfBlockerNG not blocking some foreign sites using geoip:
or IIRC use Alias Native and make your own rules.
While I am a fan of that, and that is what I do - you will notice that US_reps contain that amazon space that is listed as being delegated to amazo-syd, which would be Sydney, AU which is where maxmind shows it to be..
My understand of the reps where to include like military bases, embassy's, etc. Representative of the US, but seems its way more inclusive that I thought.. And includes address space by US companies that is assigned elsewhere?
You can edit the NA listing in pfblocker to not include those..
If he is just looking to why they are allowed, that I believe is answered. Now the question would be does he want to actually allow those or not.. But looks like he can remove the us_rep from the NA list if he so desires..
-
When I was checking out the IPs - -I noticed quite often that amazon was involved. I unchecked the US reps and will see what happens.
I noticed that 85000 addresses were removed when PFB updated...
thank you!
No changes to Firewall rules, skipping Filter Reload
Updating: pfB_NAmerica_v4
85423 addresses deleted.UPDATE PROCESS ENDED [ 02/2/24 06:12:41 ]
