Country Block
-
Thanks for all your help. :)
I did your suggestion with the uncheck Bogon and added the cron package and applied the command you specified. All seems to be working well with the Country Block package now. I rebooted my firewall and all came up ok. I did notice I could access some Chinese websites with extensions of .cn
Does the Country Block work for both IP's and DNS naming or just IP?
A On the cron job I made the new job entry with this criteria and maybe you have some suggestions or minor tweaks to it.
Cron Job:
Minute: 0
Hour: *
Mday: *
Month: *
Wday: *
Who: root
Command: /usr/local/etc/rc.d/countryblock.shYou will still be able to access blocked countries unless you check 'Block Outbound' as well.
Also, another question is what are the major difference from this package over the IP Block package. I am testing both out and I find the IP Block package to be somewhat misunderstanding on the .gz extension. I go to the ipblocklist.com website and not all the list are using the .gz extension. Also none of the country list seems to use it. They seem to have only .txt files which I am not sure will work. I also noticed countryipblocks.net seems to put all files in either .txt or html list. My question is does Country Block package query from these sources and if so, wouldn't it be more practical to have the list periodically download a fresh copy and store them on the pfsense box locally to save on bandwidth or does that seem to be a stupid question.
Thanks,
Matt
The IP-Blocklist package uses lists of any extension. The only exception is if the list is compressed then .gz is the only supported compressed format.
Country Block does pull from the site every time you update. The reason is you rarely need to update, but when you do you want it to pull from a live source. Bandwidth shouldn't be an issue, if it is then countries hacking and SPAMing would be the least of your problems.Good questions!
-
Also note that Country block take less processing power because it works with CIDRs which is native to pfsense. IP Block uses list per IP which takes more time to process. However, it can have its advantages when you want to block specific types of addresses.
-
I believe I found a problem with Country Block or maybe there is something else I need to uncheck other than bogon. The problem I have right now is if I enable Country Block and run cron to restart it all seems to be ok. You can access the net, people can access our sites from the outside world and life is good, unless you have blackberrys that connect to our exchange server using the RIM services and connecting by and https URL to our hosted server. Mail will flow into our e-mail server like it should but Blackberry seems to have issues logging in over the HTTPS OWA URL to our domain. If I turn Country Block off, then all these e-mails start flooding into the Blackberry's. If I turn the Country Block on, same issue where e-mails will not make it to the Blackberry. I am 110% sure this is being caused by the Country Block after battling it for a few days now. I really do not want to give this amazing features up for the sake of Blackberry's not able to get past it for e-mail.
Any HELP!!! would be nice or if someone else has noticed this, please let me know.
Thanks,
Matt
-
This is the e-mail message that will be sent to our blackberry's directly from Blackberry. We only start to get these messages after Country Block is enabled.
Message Below:
This email account is not currently accessible by your BlackBerry device, so you may be experiencing a delay in email delivery. This issue may be caused by a temporary problem with your email provider. BlackBerry Internet Service will continue attempting to access this account.
-
Do these phones use blocked country DNS or hosting ??
-
our domain name service provider is through network solutions. We reside in the US. I am not sure how you would be able to track down multiple DNS servers that the Blackberry's would end up using. I would image that our DNS servers are ok since browsing of our site and recieve incoming SMTP seems to be working ok, which would use our DNS. This problem seems to be somewhere along the lines of affecting BlackBerry devices that are connecting over owa using the Blackberry RIM service. Example of connection https://mail.ourdomain.com/owa
As far as knowing if they are hitting out of US DNS servers, I am not really sure how to find that out.
Thanks,
Matt
-
Try to traceroute the traffic from the blackberry. Could be so that they use a subvendor for specific traffic and he is located in one of the blocked countries.
-
Perhaps the following KB article from blackberry.com will help:
http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB11036&sliceId=SAL_Public&dialogID=69199896&stateId=0%200%20692%2001325
Are these blocks being blocked?
-
dpg2
This was very helpful. I went to the countrysipblocks.net and checked the IP's by CIDR, and it looks as if all BlackBerry service goes to either United Kingdom or Canada, mostly Canada. And yes I have both of them blocked. I did not try a trace route yet. I am supprised to see that it appears all BlackBerry servers our not in the States, not one at all??? So if this is totally accurate how would I allow only those CIDRS and block the rest of the Country?
Thanks,
Matt
-
Research in Motion is a Canadian company with its headquarters in Waterloo, Ontario.
I guess you need an 'allow' rule for the Blackberry blocks ahead of the 'deny' rules that the Country Block package puts in place. I'm not sure how flexible the Country Block package is for that sort of thing.
I believe the 'URL Table Aliases' package may offer a solution since the address blocks can be handled as aliases and governed by rules directly in the web interface. Perhaps you could share a Blackberry IP list from an internal server (or the pfsense box itself) and access it via a local URL (or just add the BB blocks to a regular alias, there aren't that many of them), and do the same with a list copied from countrysipblocks.net.
-
I can not get country block to stay running for the life of me. I have cron running the script every five minutes and I know it is executing because I have the its output logged to a temporary file and the timestamp is correct. It seems to be working but it always says "not running" in red.
-
Use Firefox to see it.
-
I was about to kick myself in the head because I have become so accustomed to chrome and I forget I am using it. However, firefox yields the same results for me.
-
Are you rendering the page in FF or IE??
-
Ok this really goes in the DUR department. Refreshing the page works wonders lol. In both ff and chrome.
-
DUR?? Forgive for not beeing native to the lanquage ;)
Ok this really goes in the DUR department. Refreshing the page works wonders lol. In both ff and chrome.
-
not working on pfsense 2.0,.. can you please check? ???
-
I can't think of a reason why it wouldn't work, but then again I never bothered to test on 2.0 beta. Hopefully I will find sometime in the next couple of days to check it out.
I do need this package to work on 2.0 so I will get it working shortly.
-
Thanks Tomy :)
-
Really good package Tommy, thanks for your help.