Country Block

tommyboy180

@Supermule:

But then it runs all the time….

Not optimal...

@mst:

After I go into the topic more deeply, I have found that Country Block is running. Problem was with crone ( */5 ) => (0) fixed the problem.

Also:

The cron script checks to see if countryblock is running. If it is then it will exit and if countryblock is not running then it will attempt to start the package. It's fine.

ghm

@tommyboy180:

The cron script checks to see if countryblock is running. If it is then it will exit and if countryblock is not running then it will attempt to start the package. It's fine.

…still only get```
root: Countryblock was found not running

mst

sorry false alarm….. I was too happy ....

after almost one day of working get this again:

Current Status = NOT running
no IP address found for __csrf_magic

I used firefox ....

ghm

@tommyboy180:

The cron script checks to see if countryblock is running. If it is then it will exit and if countryblock is not running then it will attempt to start the package. It's fine.

I've now executed the command manually - and the status page now shows:```
Current Status = NOT running
/tmp/rules.debug:79: cannot load "/usr/local/www/packages/countryblock/lists/countries.txt": No such file or directory
You are blocking 0 Networks

Again, if I start CountryBlock manually via the WebIF its runs until the next PPPOE restart.
But the command /usr/local/etc/rc.d/countryblock.sh does not restart it.
In fact I get this if I execute it manually (yes, it echoes "not running" and then the contents is printed,,,):

$ /usr/local/etc/rc.d/countryblock.sh
not running
Content-type: text/html

#version 2.0
#check if countryblock running
export resultr=pfctl -s rules | grep -c countryblock
#echo $resultr
if [ "$resultr" -gt "0" ]; then
echo running
exit 1
else
echo not running
/usr/bin/logger -s "Countryblock was found not running"
echo "Countryblock not running" | /usr/local/bin/php /usr/local/www/packages/countryblock/email_send.php
fi

pfctl -t countryblock -T kill
sed -i -e '/countryblock/d' /tmp/rules.debug

#Now edit /tmp/rules.debug

#find my line for table
export i=grep -n 'block quick from any to <snort2c>' /tmp/rules.debug | grep -o '[0-9]\{2,4\}'
export t=grep -n 'User Aliases' /tmp/rules.debug |grep -o '[0-9]\{1,2\}'

i=$(($i+'1'))
t=$(($t+'1'))
#i = line where <snort2c>is
#t is where 'User Aliases' is
echo $i
echo $t

rm /tmp/rules.debug.tmp

#Insert table-entry limit
sed -i -e '/900000/d' /tmp/rules.debug
while read line
do a=$(($a+1));
#echo $a;
if [ "$a" = "$t" ]; then
echo "" >> /tmp/rules.debug.tmp
echo "set limit table-entries 900000" >> /tmp/rules.debug.tmp
fi
echo $line >> /tmp/rules.debug.tmp
done < "/tmp/rules.debug"

mv /tmp/rules.debug /tmp/rules.debug.old
mv /tmp/rules.debug.tmp /tmp/rules.debug

pfctl -o basic -f /tmp/rules.debug > errorOUT.txt 2>&1

rm /tmp/rules.debug.tmp

#Insert countryblock rules
a="0"
echo $a
while read line
do a=$(($a+1));
echo $a;
if [ "$a" = "$i" ]; then
echo "" >> /tmp/rules.debug.tmp
echo "#countryblock" >> /tmp/rules.debug.tmp
echo "table <countryblock>persist file '/usr/local/www/packages/countryblock/lists/countries.txt'" >> /tmp/rules.debug.tmp
echo "table <countryblockw>persist file '/usr/local/www/packages/countryblock/countries-white.txt'" >> /tmp/rules.debug.tmp

	for i in $(cat /usr/local/www/packages/countryblock/interfaces.txt); do
		echo "pass quick from <countryblockw>to $i label 'countryblock'" >> /tmp/rules.debug.tmp
		echo "pass quick from $i to <countryblockw>label 'countryblock'" >> /tmp/rules.debug.tmp
		if [ -f logging ]; then
			echo "block log quick from <countryblock>to $i label 'countryblock'" >> /tmp/rules.debug.tmp
		else
			echo "block quick from <countryblock>to $i label 'countryblock'" >> /tmp/rules.debug.tmp
		fi
		if [ -f OUTBOUND ]; then
			echo "block quick from $i to <countryblock>label 'countryblock'" >> /tmp/rules.debug.tmp
		fi
	done
fi
echo $line >> /tmp/rules.debug.tmp

done < "/tmp/rules.debug"

mv /tmp/rules.debug /tmp/rules.debug.old
mv /tmp/rules.debug.tmp /tmp/rules.debug

rm errorOUT.txt
pfctl -o basic -f /tmp/rules.debug > /usr/local/www/packages/countryblock/errorOUT.txt 2>&179
10
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209</countryblock></countryblock></countryblock></countryblockw></countryblockw></countryblockw></countryblock></snort2c></snort2c>

I've left the empty lines in.

If I start Country Block via ticking the box on the WebIF and then run the script, it correctly returns```
$ /usr/local/etc/rc.d/countryblock.sh
running

This is all happening on 1.2.3 nanobsd using firefox.

mst

looks like I have the same problem as rajkedda had:

[2.0-BETA5][root@pfsense.home]/usr/local/etc/rc.d(4): ./countryblock.sh
not running
root: Countryblock was found not running
pfctl: Table does not exist.
Content-type: text/html

Message sent! - Go Back0 table deleted.
94
19
rm: /tmp/rules.debug.tmp: No such file or directory
rm: /tmp/rules.debug.tmp: No such file or directory
0
1
2
3

JackANSI

@tommyboy180:

@JackANSI:

When you check "Enable Logging?" in the settings page, where is it being logged to?

The firewall tab under system logs.

Thought so.  Then:
A. I'm getting no traffic at all from any of the top spammers,
B. Country Block isn't running even though it says "Running…. Blocking 11110 Networks",
C. Logging isn't working right for me somehow, or
D. The only traffic I have heading my way is being handled by the 28 rules I have on my TWAN interface already.

Are the country block rules before or after any rules we already have under the regular firewall rules?  Because a few of the ranges I excluded manually a long time ago show entries in the firewall log every 5-10 minutes.

Might this be related to my config and country block isn't compatible with it?  I'm running 1.2.3,  I have 2 WANs, one T1 and one cable modem.  The T1 is where I want country block (and it is selected alone under "interfaces") as it is where the servers reside.  The T1 also has 5 IP addresses assigned statically.  The cable modem handles all the client/user traffic and is the 'real' WAN port.  There are also 6 other interfaces on this machine.

In my config file I have the following being applied to that interface (the only way I could get this interface working right):

<shellcmd>/sbin/ifconfig fxp2 #.#.#.203 netmask 255.255.255.255 alias</shellcmd>
<shellcmd>/sbin/ifconfig fxp2 #.#.#.204 netmask 255.255.255.255 alias</shellcmd>
<shellcmd>/sbin/ifconfig fxp2 #.#.#.205 netmask 255.255.255.255 alias</shellcmd>
<shellcmd>/sbin/ifconfig fxp2 #.#.#.206 netmask 255.255.255.255 alias</shellcmd>
.....
<opt2><if>fxp2</if>
<descr>TWAN</descr>
<bridge><ipaddr>#.#.#.202</ipaddr>
<subnet>29</subnet>
<gateway>#.#.#.201</gateway>
<spoofmac><mtu><enable></enable></mtu></spoofmac></bridge></opt2>

I'm working on a little script that will just take the content of the files from countryipblocks.net and just creates something I can paste directly into the config.xml so I can be sure what I want blocked is blocked anyway.  But I'm willing to keep trying on CB until it works.

tommyboy180

@JackANSI:

@tommyboy180:

@JackANSI:

When you check "Enable Logging?" in the settings page, where is it being logged to?

The firewall tab under system logs.

Thought so.  Then:
A. I'm getting no traffic at all from any of the top spammers,
B. Country Block isn't running even though it says "Running…. Blocking 11110 Networks",
C. Logging isn't working right for me somehow, or
D. The only traffic I have heading my way is being handled by the 28 rules I have on my TWAN interface already.

Are the country block rules before or after any rules we already have under the regular firewall rules?  Because a few of the ranges I excluded manually a long time ago show entries in the firewall log every 5-10 minutes.

Might this be related to my config and country block isn't compatible with it?  I'm running 1.2.3,  I have 2 WANs, one T1 and one cable modem.  The T1 is where I want country block (and it is selected alone under "interfaces") as it is where the servers reside.  The T1 also has 5 IP addresses assigned statically.  The cable modem handles all the client/user traffic and is the 'real' WAN port.  There are also 6 other interfaces on this machine.

In my config file I have the following being applied to that interface (the only way I could get this interface working right):

<shellcmd>/sbin/ifconfig fxp2 #.#.#.203 netmask 255.255.255.255 alias</shellcmd>
<shellcmd>/sbin/ifconfig fxp2 #.#.#.204 netmask 255.255.255.255 alias</shellcmd>
<shellcmd>/sbin/ifconfig fxp2 #.#.#.205 netmask 255.255.255.255 alias</shellcmd>
<shellcmd>/sbin/ifconfig fxp2 #.#.#.206 netmask 255.255.255.255 alias</shellcmd>
.....
<opt2><if>fxp2</if>
<descr>TWAN</descr>
<bridge><ipaddr>#.#.#.202</ipaddr>
<subnet>29</subnet>
<gateway>#.#.#.201</gateway>
<spoofmac><mtu><enable></enable></mtu></spoofmac></bridge></opt2>

I'm working on a little script that will just take the content of the files from countryipblocks.net and just creates something I can paste directly into the config.xml so I can be sure what I want blocked is blocked anyway.  But I'm willing to keep trying on CB until it works.

Check block outbound.
Re-save/update countryblock so the rules are re-applied.
Ping a country that is blocked (check the country txt file if your unsure of any ip ranges)
It should show in the firewall logs and you should get an error that says "operation not permitted" meaning it's working!

tommyboy180

@ghm:

@tommyboy180:

The cron script checks to see if countryblock is running. If it is then it will exit and if countryblock is not running then it will attempt to start the package. It's fine.

I've now executed the command manually - and the status page now shows:```
Current Status = NOT running
/tmp/rules.debug:79: cannot load "/usr/local/www/packages/countryblock/lists/countries.txt": No such file or directory
You are blocking 0 Networks

Again, if I start CountryBlock manually via the WebIF its runs until the next PPPOE restart.
But the command /usr/local/etc/rc.d/countryblock.sh does not restart it.
In fact I get this if I execute it manually (yes, it echoes "not running" and then the contents is printed,,,):

$ /usr/local/etc/rc.d/countryblock.sh
not running
Content-type: text/html

#version 2.0
#check if countryblock running
export resultr=pfctl -s rules | grep -c countryblock
#echo $resultr
if [ "$resultr" -gt "0" ]; then
echo running
exit 1
else
echo not running
/usr/bin/logger -s "Countryblock was found not running"
echo "Countryblock not running" | /usr/local/bin/php /usr/local/www/packages/countryblock/email_send.php
fi

pfctl -t countryblock -T kill
sed -i -e '/countryblock/d' /tmp/rules.debug

#Now edit /tmp/rules.debug

#find my line for table
export i=grep -n 'block quick from any to <snort2c>' /tmp/rules.debug | grep -o '[0-9]\{2,4\}'
export t=grep -n 'User Aliases' /tmp/rules.debug |grep -o '[0-9]\{1,2\}'

i=$(($i+'1'))
t=$(($t+'1'))
#i = line where <snort2c>is
#t is where 'User Aliases' is
echo $i
echo $t

rm /tmp/rules.debug.tmp

#Insert table-entry limit
sed -i -e '/900000/d' /tmp/rules.debug
while read line
do a=$(($a+1));
#echo $a;
if [ "$a" = "$t" ]; then
echo "" >> /tmp/rules.debug.tmp
echo "set limit table-entries 900000" >> /tmp/rules.debug.tmp
fi
echo $line >> /tmp/rules.debug.tmp
done < "/tmp/rules.debug"

mv /tmp/rules.debug /tmp/rules.debug.old
mv /tmp/rules.debug.tmp /tmp/rules.debug

pfctl -o basic -f /tmp/rules.debug > errorOUT.txt 2>&1

rm /tmp/rules.debug.tmp

#Insert countryblock rules
a="0"
echo $a
while read line
do a=$(($a+1));
echo $a;
if [ "$a" = "$i" ]; then
echo "" >> /tmp/rules.debug.tmp
echo "#countryblock" >> /tmp/rules.debug.tmp
echo "table <countryblock>persist file '/usr/local/www/packages/countryblock/lists/countries.txt'" >> /tmp/rules.debug.tmp
echo "table <countryblockw>persist file '/usr/local/www/packages/countryblock/countries-white.txt'" >> /tmp/rules.debug.tmp

  for i in $(cat /usr/local/www/packages/countryblock/interfaces.txt); do
  	echo "pass quick from <countryblockw>to $i label 'countryblock'" >> /tmp/rules.debug.tmp
  	echo "pass quick from $i to <countryblockw>label 'countryblock'" >> /tmp/rules.debug.tmp
  	if [ -f logging ]; then
  		echo "block log quick from <countryblock>to $i label 'countryblock'" >> /tmp/rules.debug.tmp
  	else
  		echo "block quick from <countryblock>to $i label 'countryblock'" >> /tmp/rules.debug.tmp
  	fi
  	if [ -f OUTBOUND ]; then
  		echo "block quick from $i to <countryblock>label 'countryblock'" >> /tmp/rules.debug.tmp
  	fi
  done

fi
echo $line >> /tmp/rules.debug.tmp
done < "/tmp/rules.debug"

mv /tmp/rules.debug /tmp/rules.debug.old
mv /tmp/rules.debug.tmp /tmp/rules.debug

rm errorOUT.txt
pfctl -o basic -f /tmp/rules.debug > /usr/local/www/packages/countryblock/errorOUT.txt 2>&179
10
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209</countryblock></countryblock></countryblock></countryblockw></countryblockw></countryblockw></countryblock></snort2c></snort2c>

I've left the empty lines in.

If I start Country Block via ticking the box on the WebIF and then run the script, it correctly returns```
$ /usr/local/etc/rc.d/countryblock.sh
running

This is all happening on 1.2.3 nanobsd using firefox.

I'm having problems getting embedded running for a test VM. At this time I cannot troubleshoot embedded images. If you can help out and find out where the problem is. Hopefully I will get embedded running soon!

JackANSI

@tommyboy180:

Check block outbound.
Re-save/update countryblock so the rules are re-applied.
Ping a country that is blocked (check the country txt file if your unsure of any ip ranges)
It should show in the firewall logs and you should get an error that says "operation not permitted" meaning it's working!

Even gave it a reboot.  I'm not getting anything at all on a traceroute to 3 different hosts (I picked ones that are already in my log) so I'm pretty sure its blocking, but nothing in my logs yet.

tommyboy180

@JackANSI:

@tommyboy180:

Check block outbound.
Re-save/update countryblock so the rules are re-applied.
Ping a country that is blocked (check the country txt file if your unsure of any ip ranges)
It should show in the firewall logs and you should get an error that says "operation not permitted" meaning it's working!

Even gave it a reboot.  I'm not getting anything at all on a traceroute to 3 different hosts (I picked ones that are already in my log) so I'm pretty sure its blocking, but nothing in my logs yet.

I just did those options and I found countryblock logs within the firewall logs.
The attached screenshot is from just now.
Edit: if the webGUI says it's running then it's running. There's no way it can be a false positive since it actually checks to make sure the countryblock tables are in pfctl.

Edit2: It only logs attempt coming inbound. If you try to ping out then it's not logged. Sorry for that confusion.

ghm

@tommyboy180:

I'm having problems getting embedded running for a test VM. At this time I cannot troubleshoot embedded images. If you can help out and find out where the problem is. Hopefully I will get embedded running soon!

will try but am not entirely clear how. As a first step, I think this message here is key:

Current Status = NOT running
/tmp/rules.debug:79: cannot load "/usr/local/www/packages/countryblock/lists/countries.txt": No such file or directory
You are blocking 0 Networks

I see that after having executed the script from the command window. Pretty much what cron would do. WebIF then still says "not running".

But I don't have the foggiest idea why I can enable Country Block by checking the box on the WebIF - no errors then and works until PPPOE reset or Firewall rules change - restart script does not work, have to restart using WebIF.

Supermule

Exactly what I see now…. and thats why I asked for the cron command. It doesnt work....

@ghm:

But I don't have the foggiest idea why I can enable Country Block by checking the box on the WebIF - no errors then and works until PPPOE reset or Firewall rules change - restart script does not work, have to restart using WebIF.

tommyboy180

@Supermule:

Exactly what I see now…. and thats why I asked for the cron command. It doesnt work....

@ghm:

But I don't have the foggiest idea why I can enable Country Block by checking the box on the WebIF - no errors then and works until PPPOE reset or Firewall rules change - restart script does not work, have to restart using WebIF.

It's because he's using embedded. It works just fine on full installs. I need to get an embedded test system going or have someone help me out. In the mean time embedded installs wont be fully supported.

Supermule

I am running a full install in VmWare…..

The cronjob doesnt start countryblock....

tommyboy180

@Supermule:

I am running a full install in VmWare…..

The cronjob doesnt start countryblock....

I took a look at your PM and the youtube video. I have determined that you have a typo in your command on the cron job.

Supermule

Thx :)

@tommyboy180:

@Supermule:

I am running a full install in VmWare…..

The cronjob doesnt start countryblock....

I took a look at your PM and the youtube video. I have determined that you have a typo in your command on the cron job.

JackANSI

@tommyboy180:

I just did those options and I found countryblock logs within the firewall logs.
The attached screenshot is from just now.
Edit: if the webGUI says it's running then it's running. There's no way it can be a false positive since it actually checks to make sure the countryblock tables are in pfctl.

Edit2: It only logs attempt coming inbound. If you try to ping out then it's not logged. Sorry for that confusion.

Still have not figured out the logging thing, but if I bring up pfTop and switch to the rules view I can see quite a few entries that contain "<countryblock>" and "<countryblockw>" (like "drop inet from <countryblock>to #") that have a byte and packet count >0.

So it is working for sure and I can monitor that directly.</countryblock></countryblockw></countryblock>

tommyboy180

@JackANSI:

@tommyboy180:

I just did those options and I found countryblock logs within the firewall logs.
The attached screenshot is from just now.
Edit: if the webGUI says it's running then it's running. There's no way it can be a false positive since it actually checks to make sure the countryblock tables are in pfctl.

Edit2: It only logs attempt coming inbound. If you try to ping out then it's not logged. Sorry for that confusion.

Still have not figured out the logging thing, but if I bring up pfTop and switch to the rules view I can see quite a few entries that contain "<countryblock>" and "<countryblockw>" (like "drop inet from <countryblock>to #") that have a byte and packet count >0.

So it is working for sure and I can monitor that directly.</countryblock></countryblockw></countryblock>

The actual logging portion that goes the to firewall logs Tab is controlled by pfctl and only incoming traffic is logged. So browsing a blacklisted IP will not create a log entry but someone from that country hitting the pfsense box will generate a log entry. Hope that clears it up some.

dlawley

Current Status = NOT running
/tmp/rules.debug:18: Rules must be in order: options, normalization, queueing, translation, filtering

Starting to get this now.  I have uninstalled, reinstalled, no joy.

I have noticed every time I save/update it adds another line after "set limit table-entries 900000", from that line till your rules a newline is added at each save.

This is also where the error above is occuring.

pfsense 1.2.3, CB 0.2.0, any ideas?

–------------------------

dang, I went into my rules and turned one off then back on... now CB will save and run...  somethings up but at least running now.

_igor_

Installed countryblock on pf 2.0 RC1 from 26 Feb (full install, amd64), it starts but stops instantly. And on the interface-side, i don't have any option to enable/disable any interface. Only lan, which was enabled by default.

Other thing which is more conflicting to understand: at the box to enable you wrote "enable/disable". So any explanation would be right:

enable with box checked
disable with box checked.

Which one is the right? Seems to be new to put that inconsistent "enable/disable" to packages…

See picture to explain the "missing" interfaces: