Country Block
-
@ghm:
The cron script checks to see if countryblock is running. If it is then it will exit and if countryblock is not running then it will attempt to start the package. It's fine.
I've now executed the command manually - and the status page now shows:```
Current Status = NOT running
/tmp/rules.debug:79: cannot load "/usr/local/www/packages/countryblock/lists/countries.txt": No such file or directory
You are blocking 0 NetworksAgain, if I start CountryBlock manually via the WebIF its runs until the next PPPOE restart. But the command /usr/local/etc/rc.d/countryblock.sh does not restart it. In fact I get this if I execute it manually (yes, it echoes "not running" and then the contents is printed,,,):$ /usr/local/etc/rc.d/countryblock.sh
not running
Content-type: text/html#version 2.0
#check if countryblock running
export resultr=pfctl -s rules | grep -c countryblock
#echo $resultr
if [ "$resultr" -gt "0" ]; then
echo running
exit 1
else
echo not running
/usr/bin/logger -s "Countryblock was found not running"
echo "Countryblock not running" | /usr/local/bin/php /usr/local/www/packages/countryblock/email_send.php
fipfctl -t countryblock -T kill
sed -i -e '/countryblock/d' /tmp/rules.debug#Now edit /tmp/rules.debug
#find my line for table
export i=grep -n 'block quick from any to <snort2c>' /tmp/rules.debug | grep -o '[0-9]\{2,4\}'
export t=grep -n 'User Aliases' /tmp/rules.debug |grep -o '[0-9]\{1,2\}'i=$(($i+'1'))
t=$(($t+'1'))
#i = line where <snort2c>is
#t is where 'User Aliases' is
echo $i
echo $trm /tmp/rules.debug.tmp
#Insert table-entry limit
sed -i -e '/900000/d' /tmp/rules.debug
while read line
do a=$(($a+1));
#echo $a;
if [ "$a" = "$t" ]; then
echo "" >> /tmp/rules.debug.tmp
echo "set limit table-entries 900000" >> /tmp/rules.debug.tmp
fi
echo $line >> /tmp/rules.debug.tmp
done < "/tmp/rules.debug"mv /tmp/rules.debug /tmp/rules.debug.old
mv /tmp/rules.debug.tmp /tmp/rules.debugpfctl -o basic -f /tmp/rules.debug > errorOUT.txt 2>&1
rm /tmp/rules.debug.tmp
#Insert countryblock rules
a="0"
echo $a
while read line
do a=$(($a+1));
echo $a;
if [ "$a" = "$i" ]; then
echo "" >> /tmp/rules.debug.tmp
echo "#countryblock" >> /tmp/rules.debug.tmp
echo "table <countryblock>persist file '/usr/local/www/packages/countryblock/lists/countries.txt'" >> /tmp/rules.debug.tmp
echo "table <countryblockw>persist file '/usr/local/www/packages/countryblock/countries-white.txt'" >> /tmp/rules.debug.tmpfor i in $(cat /usr/local/www/packages/countryblock/interfaces.txt); do echo "pass quick from <countryblockw>to $i label 'countryblock'" >> /tmp/rules.debug.tmp echo "pass quick from $i to <countryblockw>label 'countryblock'" >> /tmp/rules.debug.tmp if [ -f logging ]; then echo "block log quick from <countryblock>to $i label 'countryblock'" >> /tmp/rules.debug.tmp else echo "block quick from <countryblock>to $i label 'countryblock'" >> /tmp/rules.debug.tmp fi if [ -f OUTBOUND ]; then echo "block quick from $i to <countryblock>label 'countryblock'" >> /tmp/rules.debug.tmp fi donefi
echo $line >> /tmp/rules.debug.tmp
done < "/tmp/rules.debug"mv /tmp/rules.debug /tmp/rules.debug.old
mv /tmp/rules.debug.tmp /tmp/rules.debugrm errorOUT.txt
pfctl -o basic -f /tmp/rules.debug > /usr/local/www/packages/countryblock/errorOUT.txt 2>&179
10
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209</countryblock></countryblock></countryblock></countryblockw></countryblockw></countryblockw></countryblock></snort2c></snort2c>I've left the empty lines in. If I start Country Block via ticking the box on the WebIF and then run the script, it correctly returns``` $ /usr/local/etc/rc.d/countryblock.sh runningThis is all happening on 1.2.3 nanobsd using firefox.
I'm having problems getting embedded running for a test VM. At this time I cannot troubleshoot embedded images. If you can help out and find out where the problem is. Hopefully I will get embedded running soon!
-
Check block outbound.
Re-save/update countryblock so the rules are re-applied.
Ping a country that is blocked (check the country txt file if your unsure of any ip ranges)
It should show in the firewall logs and you should get an error that says "operation not permitted" meaning it's working!Even gave it a reboot. I'm not getting anything at all on a traceroute to 3 different hosts (I picked ones that are already in my log) so I'm pretty sure its blocking, but nothing in my logs yet.
-
Check block outbound.
Re-save/update countryblock so the rules are re-applied.
Ping a country that is blocked (check the country txt file if your unsure of any ip ranges)
It should show in the firewall logs and you should get an error that says "operation not permitted" meaning it's working!Even gave it a reboot. I'm not getting anything at all on a traceroute to 3 different hosts (I picked ones that are already in my log) so I'm pretty sure its blocking, but nothing in my logs yet.
I just did those options and I found countryblock logs within the firewall logs.
The attached screenshot is from just now.
Edit: if the webGUI says it's running then it's running. There's no way it can be a false positive since it actually checks to make sure the countryblock tables are in pfctl.Edit2: It only logs attempt coming inbound. If you try to ping out then it's not logged. Sorry for that confusion.
-
I'm having problems getting embedded running for a test VM. At this time I cannot troubleshoot embedded images. If you can help out and find out where the problem is. Hopefully I will get embedded running soon!
will try but am not entirely clear how. As a first step, I think this message here is key:
Current Status = NOT running /tmp/rules.debug:79: cannot load "/usr/local/www/packages/countryblock/lists/countries.txt": No such file or directory You are blocking 0 NetworksI see that after having executed the script from the command window. Pretty much what cron would do. WebIF then still says "not running".
But I don't have the foggiest idea why I can enable Country Block by checking the box on the WebIF - no errors then and works until PPPOE reset or Firewall rules change - restart script does not work, have to restart using WebIF.
-
Exactly what I see now…. and thats why I asked for the cron command. It doesnt work....
@ghm:
But I don't have the foggiest idea why I can enable Country Block by checking the box on the WebIF - no errors then and works until PPPOE reset or Firewall rules change - restart script does not work, have to restart using WebIF.
-
Exactly what I see now…. and thats why I asked for the cron command. It doesnt work....
@ghm:
But I don't have the foggiest idea why I can enable Country Block by checking the box on the WebIF - no errors then and works until PPPOE reset or Firewall rules change - restart script does not work, have to restart using WebIF.
It's because he's using embedded. It works just fine on full installs. I need to get an embedded test system going or have someone help me out. In the mean time embedded installs wont be fully supported.
-
I am running a full install in VmWare…..
The cronjob doesnt start countryblock....
-
I am running a full install in VmWare…..
The cronjob doesnt start countryblock....
I took a look at your PM and the youtube video. I have determined that you have a typo in your command on the cron job.
-
Thx :)
I am running a full install in VmWare…..
The cronjob doesnt start countryblock....
I took a look at your PM and the youtube video. I have determined that you have a typo in your command on the cron job.
-
I just did those options and I found countryblock logs within the firewall logs.
The attached screenshot is from just now.
Edit: if the webGUI says it's running then it's running. There's no way it can be a false positive since it actually checks to make sure the countryblock tables are in pfctl.Edit2: It only logs attempt coming inbound. If you try to ping out then it's not logged. Sorry for that confusion.
Still have not figured out the logging thing, but if I bring up pfTop and switch to the rules view I can see quite a few entries that contain "<countryblock>" and "<countryblockw>" (like "drop inet from <countryblock>to #") that have a byte and packet count >0.
So it is working for sure and I can monitor that directly.</countryblock></countryblockw></countryblock>
-
I just did those options and I found countryblock logs within the firewall logs.
The attached screenshot is from just now.
Edit: if the webGUI says it's running then it's running. There's no way it can be a false positive since it actually checks to make sure the countryblock tables are in pfctl.Edit2: It only logs attempt coming inbound. If you try to ping out then it's not logged. Sorry for that confusion.
Still have not figured out the logging thing, but if I bring up pfTop and switch to the rules view I can see quite a few entries that contain "<countryblock>" and "<countryblockw>" (like "drop inet from <countryblock>to #") that have a byte and packet count >0.
So it is working for sure and I can monitor that directly.</countryblock></countryblockw></countryblock>
The actual logging portion that goes the to firewall logs Tab is controlled by pfctl and only incoming traffic is logged. So browsing a blacklisted IP will not create a log entry but someone from that country hitting the pfsense box will generate a log entry. Hope that clears it up some.
-
Current Status = NOT running
/tmp/rules.debug:18: Rules must be in order: options, normalization, queueing, translation, filteringStarting to get this now. I have uninstalled, reinstalled, no joy.
I have noticed every time I save/update it adds another line after "set limit table-entries 900000", from that line till your rules a newline is added at each save.
This is also where the error above is occuring.
pfsense 1.2.3, CB 0.2.0, any ideas?
–------------------------
dang, I went into my rules and turned one off then back on... now CB will save and run... somethings up but at least running now.
-
Installed countryblock on pf 2.0 RC1 from 26 Feb (full install, amd64), it starts but stops instantly. And on the interface-side, i don't have any option to enable/disable any interface. Only lan, which was enabled by default.
Other thing which is more conflicting to understand: at the box to enable you wrote "enable/disable". So any explanation would be right:
enable with box checked
disable with box checked.Which one is the right? Seems to be new to put that inconsistent "enable/disable" to packages…
See picture to explain the "missing" interfaces:
-
Have you enabled the WAN interface?
-
Just FYI, I had another error like before and it might be worthwhile to get your rules resaved. I just disabled one and re enabled it and was able to go back without any issue with CB.
-
@ supermule: Maybe i was not clear, so see the attached pic. I cannot activate nor deactivate wan, the checkbox is not preset!
It was just an installation and on overlooking the options to set them it was like shown at the pic.
@ dlawley: Which rules to resave? If you mean the country election, these ones i enabled and disabled all, selected only the "top ten", nothing changed the behaviour. Even deinstalled and installed newly, no change. :(edit:
Looked at the interfaces.txt, which had this entries:
__csrf_magic
em0deleted that entries and added "any" (only the word). Saved the file and reviewed the interface-section in webgui. Same as before. Only LAN, which is checked, the other 2 interfaces (WAN and GRE) don't have the check-boxes. If i save the setting, the 2 mentioned lines appear again in the interfaces.txt.
But now countryblock starts and seems to work.
Added the cron-entry. Maybe this could be made by the installer?Thanks for help
-
Using cron w/ the command /usr/local/etc/rc.d/countryblock.sh with */1 * * * * root, I am unable to get country block to auto-start after it stops (from either a reboot or updating to the latest snapshot). Any tips by chance?
-
This is what my cron job looks like. If you still can't get the cron to work, try executing the cron command from console to view any errors that it may be having.
-
That's exactly how mine looks as well :-(. Once it is on, I'm good to go. It's only when I restart the server or hit the auto-update firmware. I can then get it to start again easily using the GUI, I was hoping the cron would solve my woes. I have an update now to do so I will apply that and see if it happens again. As with through out this topic, thank you for being so active :-) I know how hard it is to dedicate the time we have so little of today to help others.
Ah well maybe it is because it reinstalls the apps after the update, that would make sense no? lol, sorry I didn't think about it :-P
-
The "Enable/disable" checkbox does what?
If countryblock is enabled, the box is not checked, so i check it and press "apply", countryblock ends disabled.
If cb is disabled, the checkbox is disabled too. checking the box and pressing "apply" cb ends enabled. So is he function of this box as it says "enable/disable" or is there anything running wrong with cb? The checkbox is always not checked.I did a reinstall today due to updating pfSense (2.0 snap, amd64, full install) and the weird interfaces-section is still like before: Only lan has a checkbox, which is checked, the other interfaces don't have any checkboxes. Nor is anything checked. Interfaces.txt still contains "any".