Country Block
-
Something must have been hanging around. Had to remove, then reinstall. Now have CIDR folder and have networks blocked.
Thanks for the help, its better help than we get around here for paid support…
Sorry sorry for the misunderstanding…. I meant paid support here at our shop ::)
-
I am sorry for confusion …..
recently had this:
Current Status = Restarting
no IP address found for __csrf_magic
You are blocking 0 NetworksPfsence 2.0 Beta 5 ......
-
@ghm:
That's strange. I added embedded support in version 1.5 a long time ago. What package version do you have?
0.2.0 - I attach a list of my installed packages below. CB is my newest.
OK - and I can reproduce the following: My system gets a new dynamic WAN-IP every 12hrs (ISP requires that). That change renders CountyBlock not enabled and I have to re-enable manually.
-
You can add a cron job…..
I cant remember which file to add to the job, but Tom knows.....:)
-
I have the same problem even after setting up the cron. Have to manually enable it and then it works. 2.0 beta 5 …...
I have fallowed this thread with cron guidance but it looks like it does not work .....
Please advice
-
When you check "Enable Logging?" in the settings page, where is it being logged to?
-
When you check "Enable Logging?" in the settings page, where is it being logged to?
The firewall tab under system logs.
-
Thank you. I appreciate the kind words. I'm sure many other package managers are just the same.
I am only referring to my personal experience in contacting you. I know most if not all are very excellent.
For the cron job the command is : /usr/local/etc/rc.d/countryblock.sh
-
For the cron job the command is : /usr/local/etc/rc.d/countryblock.sh
I have now installed the Cron package as well, reinstalled Country Block and added the above command (every */5 minutes). It does not restart Country Block properly. I do see the following in Syslog every 5 minutes:
root: Countryblock was found not runningIs there a restart option that I need to add or is 5min to long - or else?
Thanks!
-
Is it possible to build a cron job as a part of CB?? So it does this automatically??
-
My cronjob is not working either…...it starts the package every minute.
Not running is the current status and the Cron doesnt start it.
-
After I go into the topic more deeply, I have found that Country Block is running. Problem was with crone ( */5 ) => (0) fixed the problem.
Also:
 -
But then it runs all the time….
Not optimal...
@mst:
After I go into the topic more deeply, I have found that Country Block is running. Problem was with crone ( */5 ) => (0) fixed the problem.
Also:
-
But then it runs all the time….
Not optimal...
@mst:
After I go into the topic more deeply, I have found that Country Block is running. Problem was with crone ( */5 ) => (0) fixed the problem.
Also:
The cron script checks to see if countryblock is running. If it is then it will exit and if countryblock is not running then it will attempt to start the package. It's fine.
-
The cron script checks to see if countryblock is running. If it is then it will exit and if countryblock is not running then it will attempt to start the package. It's fine.
…still only get```
root: Countryblock was found not running -
sorry false alarm….. I was too happy ....
after almost one day of working get this again:
Current Status = NOT running
no IP address found for __csrf_magicI used firefox ....
-
The cron script checks to see if countryblock is running. If it is then it will exit and if countryblock is not running then it will attempt to start the package. It's fine.
I've now executed the command manually - and the status page now shows:```
Current Status = NOT running
/tmp/rules.debug:79: cannot load "/usr/local/www/packages/countryblock/lists/countries.txt": No such file or directory
You are blocking 0 NetworksAgain, if I start CountryBlock manually via the WebIF its runs until the next PPPOE restart. But the command /usr/local/etc/rc.d/countryblock.sh does not restart it. In fact I get this if I execute it manually (yes, it echoes "not running" and then the contents is printed,,,):$ /usr/local/etc/rc.d/countryblock.sh
not running
Content-type: text/html#version 2.0
#check if countryblock running
export resultr=pfctl -s rules | grep -c countryblock
#echo $resultr
if [ "$resultr" -gt "0" ]; then
echo running
exit 1
else
echo not running
/usr/bin/logger -s "Countryblock was found not running"
echo "Countryblock not running" | /usr/local/bin/php /usr/local/www/packages/countryblock/email_send.php
fipfctl -t countryblock -T kill
sed -i -e '/countryblock/d' /tmp/rules.debug#Now edit /tmp/rules.debug
#find my line for table
export i=grep -n 'block quick from any to <snort2c>' /tmp/rules.debug | grep -o '[0-9]\{2,4\}'
export t=grep -n 'User Aliases' /tmp/rules.debug |grep -o '[0-9]\{1,2\}'i=$(($i+'1'))
t=$(($t+'1'))
#i = line where <snort2c>is
#t is where 'User Aliases' is
echo $i
echo $trm /tmp/rules.debug.tmp
#Insert table-entry limit
sed -i -e '/900000/d' /tmp/rules.debug
while read line
do a=$(($a+1));
#echo $a;
if [ "$a" = "$t" ]; then
echo "" >> /tmp/rules.debug.tmp
echo "set limit table-entries 900000" >> /tmp/rules.debug.tmp
fi
echo $line >> /tmp/rules.debug.tmp
done < "/tmp/rules.debug"mv /tmp/rules.debug /tmp/rules.debug.old
mv /tmp/rules.debug.tmp /tmp/rules.debugpfctl -o basic -f /tmp/rules.debug > errorOUT.txt 2>&1
rm /tmp/rules.debug.tmp
#Insert countryblock rules
a="0"
echo $a
while read line
do a=$(($a+1));
echo $a;
if [ "$a" = "$i" ]; then
echo "" >> /tmp/rules.debug.tmp
echo "#countryblock" >> /tmp/rules.debug.tmp
echo "table <countryblock>persist file '/usr/local/www/packages/countryblock/lists/countries.txt'" >> /tmp/rules.debug.tmp
echo "table <countryblockw>persist file '/usr/local/www/packages/countryblock/countries-white.txt'" >> /tmp/rules.debug.tmpfor i in $(cat /usr/local/www/packages/countryblock/interfaces.txt); do echo "pass quick from <countryblockw>to $i label 'countryblock'" >> /tmp/rules.debug.tmp echo "pass quick from $i to <countryblockw>label 'countryblock'" >> /tmp/rules.debug.tmp if [ -f logging ]; then echo "block log quick from <countryblock>to $i label 'countryblock'" >> /tmp/rules.debug.tmp else echo "block quick from <countryblock>to $i label 'countryblock'" >> /tmp/rules.debug.tmp fi if [ -f OUTBOUND ]; then echo "block quick from $i to <countryblock>label 'countryblock'" >> /tmp/rules.debug.tmp fi done fi echo $line >> /tmp/rules.debug.tmpdone < "/tmp/rules.debug"
mv /tmp/rules.debug /tmp/rules.debug.old
mv /tmp/rules.debug.tmp /tmp/rules.debugrm errorOUT.txt
pfctl -o basic -f /tmp/rules.debug > /usr/local/www/packages/countryblock/errorOUT.txt 2>&179
10
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209</countryblock></countryblock></countryblock></countryblockw></countryblockw></countryblockw></countryblock></snort2c></snort2c>I've left the empty lines in. If I start Country Block via ticking the box on the WebIF and then run the script, it correctly returns``` $ /usr/local/etc/rc.d/countryblock.sh runningThis is all happening on 1.2.3 nanobsd using firefox.
-
looks like I have the same problem as rajkedda had:
[2.0-BETA5][root@pfsense.home]/usr/local/etc/rc.d(4): ./countryblock.sh
not running
root: Countryblock was found not running
pfctl: Table does not exist.
Content-type: text/htmlMessage sent! - Go Back0 table deleted.
94
19
rm: /tmp/rules.debug.tmp: No such file or directory
rm: /tmp/rules.debug.tmp: No such file or directory
0
1
2
3 -
When you check "Enable Logging?" in the settings page, where is it being logged to?
The firewall tab under system logs.
Thought so. Then:
A. I'm getting no traffic at all from any of the top spammers,
B. Country Block isn't running even though it says "Running…. Blocking 11110 Networks",
C. Logging isn't working right for me somehow, or
D. The only traffic I have heading my way is being handled by the 28 rules I have on my TWAN interface already.Are the country block rules before or after any rules we already have under the regular firewall rules? Because a few of the ranges I excluded manually a long time ago show entries in the firewall log every 5-10 minutes.
Might this be related to my config and country block isn't compatible with it? I'm running 1.2.3, I have 2 WANs, one T1 and one cable modem. The T1 is where I want country block (and it is selected alone under "interfaces") as it is where the servers reside. The T1 also has 5 IP addresses assigned statically. The cable modem handles all the client/user traffic and is the 'real' WAN port. There are also 6 other interfaces on this machine.
In my config file I have the following being applied to that interface (the only way I could get this interface working right):
<shellcmd>/sbin/ifconfig fxp2 #.#.#.203 netmask 255.255.255.255 alias</shellcmd>
<shellcmd>/sbin/ifconfig fxp2 #.#.#.204 netmask 255.255.255.255 alias</shellcmd>
<shellcmd>/sbin/ifconfig fxp2 #.#.#.205 netmask 255.255.255.255 alias</shellcmd>
<shellcmd>/sbin/ifconfig fxp2 #.#.#.206 netmask 255.255.255.255 alias</shellcmd>
.....
<opt2><if>fxp2</if>
<descr>TWAN</descr>
<bridge><ipaddr>#.#.#.202</ipaddr>
<subnet>29</subnet>
<gateway>#.#.#.201</gateway>
<spoofmac><mtu><enable></enable></mtu></spoofmac></bridge></opt2>I'm working on a little script that will just take the content of the files from countryipblocks.net and just creates something I can paste directly into the config.xml so I can be sure what I want blocked is blocked anyway. But I'm willing to keep trying on CB until it works.
-
When you check "Enable Logging?" in the settings page, where is it being logged to?
The firewall tab under system logs.
Thought so. Then:
A. I'm getting no traffic at all from any of the top spammers,
B. Country Block isn't running even though it says "Running…. Blocking 11110 Networks",
C. Logging isn't working right for me somehow, or
D. The only traffic I have heading my way is being handled by the 28 rules I have on my TWAN interface already.Are the country block rules before or after any rules we already have under the regular firewall rules? Because a few of the ranges I excluded manually a long time ago show entries in the firewall log every 5-10 minutes.
Might this be related to my config and country block isn't compatible with it? I'm running 1.2.3, I have 2 WANs, one T1 and one cable modem. The T1 is where I want country block (and it is selected alone under "interfaces") as it is where the servers reside. The T1 also has 5 IP addresses assigned statically. The cable modem handles all the client/user traffic and is the 'real' WAN port. There are also 6 other interfaces on this machine.
In my config file I have the following being applied to that interface (the only way I could get this interface working right):
<shellcmd>/sbin/ifconfig fxp2 #.#.#.203 netmask 255.255.255.255 alias</shellcmd>
<shellcmd>/sbin/ifconfig fxp2 #.#.#.204 netmask 255.255.255.255 alias</shellcmd>
<shellcmd>/sbin/ifconfig fxp2 #.#.#.205 netmask 255.255.255.255 alias</shellcmd>
<shellcmd>/sbin/ifconfig fxp2 #.#.#.206 netmask 255.255.255.255 alias</shellcmd>
.....
<opt2><if>fxp2</if>
<descr>TWAN</descr>
<bridge><ipaddr>#.#.#.202</ipaddr>
<subnet>29</subnet>
<gateway>#.#.#.201</gateway>
<spoofmac><mtu><enable></enable></mtu></spoofmac></bridge></opt2>I'm working on a little script that will just take the content of the files from countryipblocks.net and just creates something I can paste directly into the config.xml so I can be sure what I want blocked is blocked anyway. But I'm willing to keep trying on CB until it works.
Check block outbound.
Re-save/update countryblock so the rules are re-applied.
Ping a country that is blocked (check the country txt file if your unsure of any ip ranges)
It should show in the firewall logs and you should get an error that says "operation not permitted" meaning it's working!