Country Block

mgc6288

I all of a sudden keep getting the error:

/tmp/rules.debug:115: cannot load "/usr/local/www/packages/ipblocklist/lists/ipfw.ipfw": No such file or directory

Any ideas?  This started, possibly coincidentally, after trying to enable both the country and the ip blocklists simultaneously.

EDIT: Well I kind of answered my own question.  When I removed all the .gz links from within ip-blocklist then all of a sudden the country block loaded just fine.  Is it possible to have both on at the same time, or for some reason not a good idea?

tommyboy180

They are both designed to work together if both are installed. I run both packages without a problem.

I know the error you pasted. I have gotten that error many time myself. Disabling IP-blocklist and re-enabling it usually helps.

Supermule

Done :) No errors!

Guest

So far seems to be working good. Also thanks for the whitelist feature. That really helps me a lot.

One other thing or request if you ever get free time to do so, I was wondering if you could make a log section that would either dump to the firewall log or maybe just within the package itself that would show the IP's that are being blocking by specificly the Country Block package?

Currently I don't believe the blocks show up in the firewall logs for either a block or whitelist pass.

Then down the road maybe the logging could generate reports on the CIDRS and pin-point a list of attacks and blocks from the countries and the IP's they belong to.

Thanks for all your hard work on this package. As far as running the IP-Block and Country Block together, all seems to work well.

Again Thanks,

Matt

tommyboy180

That actually sounds like a good idea. I will start work immediately.

samus

Excellent work Tom, this package is wonderfull, but sometimes when I've forbidden countries like Pakistan my access was stopped (I live in France), but it's not a problem at the moment.

The idea to see with the firewall log the country where is situated the IP is wonderfull and with this your package will be perfect  :P

Thanks again Tom !

HoTWiReZ

First off, thank you for creating this package.  It is very helpful to me in dealing with the worst spam offenders.

That said, I have noticed a few typos in the country names, and a few missing countries (unless I have missed something myself).  This list is probably not complete, but they are the most recent examples that come to mind for me.

Typos: 
Burkia Faso –> Burkina Faso
Argentia --> Argentina

Missing countries:
Montenegro
India

Again, thank you for creating this!

darklogic

HoTWiReZ

WOW and I mean 01010111 01001111 01010111

tommyboy180, you be the man…

deltaend

Tommyboy, this is one of the most useful packages I have installed so far.  You sir, have made my life worth living again. :)

Although, I really hate the idea that someday these type of blocks will become more common where we just get sick of countries who have such a high fraud profile that we simply block the entire country, I have to admit that since I never to ANY business with about 90% of them that I don't feel bad about personally blocking them.  I can, however, imagine a world of elitists where we block internet traffic from the majority of the developing world due to endless waves of spam and sniffing.

I guess the burden of this future will be more in the hands of those who prosecute the developing world's abuses rather than those who defend their equipment against it.

tommyboy180

@deltaend:

Tommyboy, this is one of the most useful packages I have installed so far.  You sir, have made my life worth living again. :)

Although, I really hate the idea that someday these type of blocks will become more common where we just get sick of countries who have such a high fraud profile that we simply block the entire country, I have to admit that since I never to ANY business with about 90% of them that I don't feel bad about personally blocking them.  I can, however, imagine a world of elitists where we block internet traffic from the majority of the developing world due to endless waves of spam and sniffing.

I guess the burden of this future will be more in the hands of those who prosecute the developing world's abuses rather than those who defend their equipment against it.

Thank you.
You are right. Unfortunately, I don't feel bad. A country constantly scanning me or sending SPAM needs to be blocked on my network. I don't want them looking at my website, searching for vulnerabilities, or constantly trying to brute force my SSH server. I made it easy for me and those who get frustrated with trying to minimize the damage caused by these countries. Blocking the entire country could affect them, but I don't see how. If you did business with that country then you wouldn't block them but if you have no business then no harm done.
Maybe more tools like this will cause countries to enforce laws more in the future. Who knows…

danswartz

I run my own postfix mail server.  Probably 80% of the spam comes from russia, china, korea or japan.  I get no legitimate mail from anyone in those countries.  So, I will be installing this ASAP :)

cmb

@tommyboy180:

Thank you.
You are right. Unfortunately, I don't feel bad. A country constantly scanning me or sending SPAM needs to be blocked on my network. I don't want them looking at my website, searching for vulnerabilities, or constantly trying to brute force my SSH server. I made it easy for me and those who get frustrated with trying to minimize the damage caused by these countries. Blocking the entire country could affect them, but I don't see how. If you did business with that country then you wouldn't block them but if you have no business then no harm done.
Maybe more tools like this will cause countries to enforce laws more in the future. Who knows…

Where feasible, it's sensible security policy regardless of where you are in the world - if you don't have to allow something, don't allow it. Many companies do no business outside of their own country or a select few countries, so why allow the entire Internet? As useful as it is for those in this thread, who look to be largely in the US, it's just as useful to those in countries some US companies may want to block. Abuse isn't limited to any particular country, it comes from all over. A Russian company that does no business in the US could drop off their spam and hack attempts considerably by blocking the US, where it's sensible for some US companies to do the opposite. The same way those of us in the US see all these attacks from Russia, China, India, Nigeria, and elsewhere, people in those countries see just as much abuse from hosts in the US and see it the same way in the same circumstances - unnecessary traffic that can be blocked entirely. This isn't limited to any country, and isn't that much about enforcing sensible policies on Internet users. That's largely done in the US, but a large portion of the spam and hack attempts we see come from the US.

Keep in mind this can help a lot, but if you're being specifically targeted, may not provide the level of assurance you think it does. Every country has plenty of compromised hosts, or hosts that can be compromised, to use to launch attacks. It's a good measure to drop off things you know have no place being on your network, but still leaves plenty of exposure.

philrou

to th enewbie guy, country block in the 1.23 packages not installed (if you're using 1.2.3 pfsense release).

JustinHoMi

I'm having trouble with this package. After I click save, it says "Current status = Running". But a few minutes later it will stop running. Any ideas on how to debug this?

FYI, I only have the "Top Spammers" checked.

tommyboy180

@JustinHoMi:

I'm having trouble with this package. After I click save, it says "Current status = Running". But a few minutes later it will stop running. Any ideas on how to debug this?

FYI, I only have the "Top Spammers" checked.

Are you making changes to firewall settings? Please read the FAQ on the first post.

JustinHoMi

No, this happens without making any firewall changes.

tommyboy180

@JustinHoMi:

No, this happens without making any firewall changes.

To help you better I need more info.
Version of pfsense:
packages installed:
How you applying the package:
After it's running, when do you notice it's not:

JustinHoMi

I'm using pfsense 1.2.3.

I installed the package with the web interface. When configuring it, I click enable, commit, and save. However, usually after clicking commit, it disables the Enable checkbox. So it's more like enable, commit, enable, save.

I notice it's not running after waiting a few minutes then going back to the Country Block configuration page.

# pkg_info
arc-5.21o_1         Create & extract files from DOS .ARC files
arj-3.10.22_1       Open-source ARJ
arj-3.10.22_3       Open-source ARJ
bandwidthd-2.0.1_1  Tracks bandwidth usage by IP address
clamav-0.96.1       Command line virus scanner written entirely in C
cyrus-sasl-2.1.22_1 RFC 2222 SASL (Simple Authentication and Security Layer)
cyrus-sasl-2.1.23   RFC 2222 SASL (Simple Authentication and Security Layer)
denyhosts-2.5       Script to thwart ssh attacks
gd-2.0.35,1         A graphics library for fast creation of images
gdbm-1.8.3_3        The GNU database manager
havp-0.91_1         HTTP Antivirus Proxy
jpeg-6b_4           IJG's jpeg compression utilities
lha-1.14i_6         Archive files using LZSS and Huffman compression (.lzh file
libiconv-1.11_1     A character set conversion library
lightsquid-1.7.1_1  A light and fast web based squid proxy traffic analyser
mysql-client-5.1.44_1 Multithreaded SQL database (client)
ntop-3.3.8          Network monitoring tool with command line and web interface
openldap-client-2.4.10 Open source LDAP client implementation
openldap-client-2.4.11 Open source LDAP client implementation
openldap-client-2.4.22 Open source LDAP client implementation
p5-GD-2.39          A perl5 interface to Gd Graphics Library version2
pcre-7.9            Perl Compatible Regular Expressions library
pcre-8.00           Perl Compatible Regular Expressions library
pcre-8.02           Perl Compatible Regular Expressions library
perl-5.10.1         Practical Extraction and Report Language
perl-5.10.1_1       Practical Extraction and Report Language
perl-5.8.8_1        Practical Extraction and Report Language
perl-5.8.9_3        Practical Extraction and Report Language
python24-2.4.3_3    An interpreted object-oriented programming language
snort-2.8.6_1       Lightweight network intrusion detection system
squid-2.7.9         HTTP Caching Proxy
squid_radius_auth-1.10 RADIUS authenticator for squid proxy 2.5 and later
stunnel-4.25        SSL encryption wrapper for standard network daemons
unzoo-4.4_2         A zoo archive extractor

From the web interface:
Country Block
Dashboard
Dashboard Widget: Antivirus Status
Dashboard Widget: HAVP
Dashboard Widget: Snort
HAVP antivirus
Lightsquid
OpenVPN Status
bandwidthd
ntop
snort
squid
stunnel

All the latest versions except squid, which looks like it was updated today.

tommyboy180

Something is regenerating your firewall settings I think. Every time rules.debug is run your country block package stops running. I have been running country block for a month now without errors or interruption.

Start to eliminate variables. Disable packages and services and start to narrow it down. If you want to help me get to the bottom of this now email me your config and I can probably give you an answer within the hour.

JustinHoMi

Ok I'll start disabling packages and see what happens. If I can't figure it out I'll send you my config.