Country Block
-
an info, for pfsense 2.0? when can we DL?
-
will this run on 2.0 beta? can i block all countries except the US without running into performance/memory issues running an ALIX board?
-
Forget I said anything….. ::) :D Mixed up the DNS Blacklist package with the Countryblock package.......
will this run on 2.0 beta? can i block all countries except the US without running into performance/memory issues running an ALIX board?
-
Use the whitelist feature instead ;)
will this run on 2.0 beta? can i block all countries except the US without running into performance/memory issues running an ALIX board?
Im new with pfsense. Is whitelist a feature in country block? I have not installed it yet since I am on 2.0 beta and wasnt sure if it will work.
-
will this run on 2.0 beta? can i block all countries except the US without running into performance/memory issues running an ALIX board?
If you are running embedded you may; by that I mean I don't test on embedded if that is what you run. As far as ALIX goes you should have almost 0 performance interference from this package.
This will run on 2.0, 32bit and 64bit. Hopefully a package commit will be completed here soon.
-
So a new guy question, where do i go to install it. I dont see it in my 1.2.3 package list.
-
Countryblock is now a package!
-
running V123 don't see it in the list.
I have lusca cache installed Is that Why Maybe? -
I see it in the list…..running 1.2.3. Is there a way to make it keep running even if states and rules change??? Something like a Fire and Forget missile??? :D
That would be good.....:)
-
When a firewall rule change is made, /tmp/rules.debug is re-generated. The problem is that /tmp/rules.debug isn't written to, its generated. To overcome this my two firewall packages inject the tables and rules into the file and then apply without regenerating.
If I were to make it so you can fire and forget then I would have to make significant pfsense system changes which would do more harm then good, especially if something were to go wrong.
What's nice is that it runs on start-up if enabled. With that being said, you can create a cron job to execute the package every hour, or five mins. This would be an easy and safe way of ensuring its running all the time.
-
This package sounds sweet!!! Do you have maybe a writeup on creating the cron job to start the package every hour?
-
Thx ever so much for this Tom!!! :)
When a firewall rule change is made, /tmp/rules.debug is re-generated. The problem is that /tmp/rules.debug isn't written to, its generated. To overcome this my two firewall packages inject the tables and rules into the file and then apply without regenerating.
If I were to make it so you can fire and forget then I would have to make significant pfsense system changes which would do more harm then good, especially if something were to go wrong.
What's nice is that it runs on start-up if enabled. With that being said, you can create a cron job to execute the package every hour, or five mins. This would be an easy and safe way of ensuring its running all the time.
-
Got the package installed on my pfSense 1.2.3-RELEASE on nanobsd. I've attempted to start this up and I get file system errors trying to write. What commands do I need to make in order for your package to be able to write its changes?
Is there not a way to write in a RW filesystem to commit changes then turn it back to Read only?
BTW, this looks awesome…hope I can use it!
-
Tommy everything works great being able to block China kicks major booty. 80% attempted attacks come from there. I have a question though. What does select/unselect do?
-
. With that being said, you can create a cron job to execute the package every hour, or five mins. This would be an easy and safe way of ensuring its running all the time.
To save me some time what syntax do you use for your cron job? I know how to use cron but I am unsure what to run.
-
I selected to block all and then unchecked the basics such as United States and Canada. When I commit and then check enabled and then click save/update. The pfsense box would lockup and nothing was able to flow accross the Internet even though I had United States Unchecked from the block list. I rebooted the pfsense manually and then everything appeared to come up as normal but no access to the IP webgui or Internet. I had to reinstall pfsense. I added the country block package back and only slected the top 10 spammers and that seems to be working ok.
Any idea on why an all block other than the United States would cause the system to not work at all?
Thanks,
Matt
-
Got the package installed on my pfSense 1.2.3-RELEASE on nanobsd. I've attempted to start this up and I get file system errors trying to write. What commands do I need to make in order for your package to be able to write its changes?
Is there not a way to write in a RW filesystem to commit changes then turn it back to Read only?
BTW, this looks awesome…hope I can use it!
I can look further into this, I usually don't support nanobsd because of special exceptions I make.
The script is getting hung up on creating two files, countries.txt and lists/countries.txt. Perhaps you can make these files and modify the permissions so they cannot be removed.Tommy everything works great being able to block China kicks major booty. 80% attempted attacks come from there. I have a question though. What does select/unselect do?
Select/unselect will check all boxes or uncheck all boxes. Much faster than clicking 200 some countries.
. With that being said, you can create a cron job to execute the package every hour, or five mins. This would be an easy and safe way of ensuring its running all the time.
To save me some time what syntax do you use for your cron job? I know how to use cron but I am unsure what to run.
The file to run is "/usr/local/etc/rc.d/countryblock.sh"
For those who need help with cron jobs, there is a cron job package that will give you an easy GUII selected to block all and then unchecked the basics such as United States and Canada. When I commit and then check enabled and then click save/update. The pfsense box would lockup and nothing was able to flow accross the Internet even though I had United States Unchecked from the block list. I rebooted the pfsense manually and then everything appeared to come up as normal but no access to the IP webgui or Internet. I had to reinstall pfsense. I added the country block package back and only slected the top 10 spammers and that seems to be working ok.
Any idea on why an all block other than the United States would cause the system to not work at all?
Thanks,
Matt
Ahh yes Matt. When you checked all countries you checked the Bogon list as well.
I think I need to take that out! For the mean time you can get into the console of the pfsense box and run this command ""pfctl -t countryblock -T kill""Then you will be able to go back into the GUI, uncheck Bogon's and then continue blocking China.
-
Thanks for all your help. :)
I did your suggestion with the uncheck Bogon and added the cron package and applied the command you specified. All seems to be working well with the Country Block package now. I rebooted my firewall and all came up ok. I did notice I could access some Chinese websites with extensions of .cn
Does the Country Block work for both IP's and DNS naming or just IP?
A On the cron job I made the new job entry with this criteria and maybe you have some suggestions or minor tweaks to it.
Cron Job:
Minute: 0
Hour: *
Mday: *
Month: *
Wday: *
Who: root
Command: /usr/local/etc/rc.d/countryblock.sh -
I selected to block all and then unchecked the basics such as United States and Canada. When I commit and then check enabled and then click save/update. The pfsense box would lockup and nothing was able to flow accross the Internet even though I had United States Unchecked from the block list. I rebooted the pfsense manually and then everything appeared to come up as normal but no access to the IP webgui or Internet. I had to reinstall pfsense. I added the country block package back and only slected the top 10 spammers and that seems to be working ok.
Any idea on why an all block other than the United States would cause the system to not work at all?
Thanks,
Ditto.
For info Im on a 172.31.x.x/24 subnet… pfSense 1.2.3 full install. My thought is that my subnet was blocked on the lan side. Consoling in locally still worked.
Thanks for all the hard work!
edit= I see the response now that I missed before...
-
Also, another question is what are the major difference from this package over the IP Block package. I am testing both out and I find the IP Block package to be somewhat misunderstanding on the .gz extension. I go to the ipblocklist.com website and not all the list are using the .gz extension. Also none of the country list seems to use it. They seem to have only .txt files which I am not sure will work. I also noticed countryipblocks.net seems to put all files in either .txt or html list. My question is does Country Block package query from these sources and if so, wouldn't it be more practical to have the list periodically download a fresh copy and store them on the pfsense box locally to save on bandwidth or does that seem to be a stupid question.
Thanks,
Matt
