Country Block
-
Thx :)
I am running a full install in VmWare…..
The cronjob doesnt start countryblock....
I took a look at your PM and the youtube video. I have determined that you have a typo in your command on the cron job.
-
I just did those options and I found countryblock logs within the firewall logs.
The attached screenshot is from just now.
Edit: if the webGUI says it's running then it's running. There's no way it can be a false positive since it actually checks to make sure the countryblock tables are in pfctl.Edit2: It only logs attempt coming inbound. If you try to ping out then it's not logged. Sorry for that confusion.
Still have not figured out the logging thing, but if I bring up pfTop and switch to the rules view I can see quite a few entries that contain "<countryblock>" and "<countryblockw>" (like "drop inet from <countryblock>to #") that have a byte and packet count >0.
So it is working for sure and I can monitor that directly.</countryblock></countryblockw></countryblock>
-
I just did those options and I found countryblock logs within the firewall logs.
The attached screenshot is from just now.
Edit: if the webGUI says it's running then it's running. There's no way it can be a false positive since it actually checks to make sure the countryblock tables are in pfctl.Edit2: It only logs attempt coming inbound. If you try to ping out then it's not logged. Sorry for that confusion.
Still have not figured out the logging thing, but if I bring up pfTop and switch to the rules view I can see quite a few entries that contain "<countryblock>" and "<countryblockw>" (like "drop inet from <countryblock>to #") that have a byte and packet count >0.
So it is working for sure and I can monitor that directly.</countryblock></countryblockw></countryblock>
The actual logging portion that goes the to firewall logs Tab is controlled by pfctl and only incoming traffic is logged. So browsing a blacklisted IP will not create a log entry but someone from that country hitting the pfsense box will generate a log entry. Hope that clears it up some.
-
Current Status = NOT running
/tmp/rules.debug:18: Rules must be in order: options, normalization, queueing, translation, filteringStarting to get this now. I have uninstalled, reinstalled, no joy.
I have noticed every time I save/update it adds another line after "set limit table-entries 900000", from that line till your rules a newline is added at each save.
This is also where the error above is occuring.
pfsense 1.2.3, CB 0.2.0, any ideas?
–------------------------
dang, I went into my rules and turned one off then back on... now CB will save and run... somethings up but at least running now.
-
Installed countryblock on pf 2.0 RC1 from 26 Feb (full install, amd64), it starts but stops instantly. And on the interface-side, i don't have any option to enable/disable any interface. Only lan, which was enabled by default.
Other thing which is more conflicting to understand: at the box to enable you wrote "enable/disable". So any explanation would be right:
enable with box checked
disable with box checked.Which one is the right? Seems to be new to put that inconsistent "enable/disable" to packages…
See picture to explain the "missing" interfaces:
-
Have you enabled the WAN interface?
-
Just FYI, I had another error like before and it might be worthwhile to get your rules resaved. I just disabled one and re enabled it and was able to go back without any issue with CB.
-
@ supermule: Maybe i was not clear, so see the attached pic. I cannot activate nor deactivate wan, the checkbox is not preset!
It was just an installation and on overlooking the options to set them it was like shown at the pic.
@ dlawley: Which rules to resave? If you mean the country election, these ones i enabled and disabled all, selected only the "top ten", nothing changed the behaviour. Even deinstalled and installed newly, no change. :(edit:
Looked at the interfaces.txt, which had this entries:
__csrf_magic
em0deleted that entries and added "any" (only the word). Saved the file and reviewed the interface-section in webgui. Same as before. Only LAN, which is checked, the other 2 interfaces (WAN and GRE) don't have the check-boxes. If i save the setting, the 2 mentioned lines appear again in the interfaces.txt.
But now countryblock starts and seems to work.
Added the cron-entry. Maybe this could be made by the installer?Thanks for help
-
Using cron w/ the command /usr/local/etc/rc.d/countryblock.sh with */1 * * * * root, I am unable to get country block to auto-start after it stops (from either a reboot or updating to the latest snapshot). Any tips by chance?
-
This is what my cron job looks like. If you still can't get the cron to work, try executing the cron command from console to view any errors that it may be having.
-
That's exactly how mine looks as well :-(. Once it is on, I'm good to go. It's only when I restart the server or hit the auto-update firmware. I can then get it to start again easily using the GUI, I was hoping the cron would solve my woes. I have an update now to do so I will apply that and see if it happens again. As with through out this topic, thank you for being so active :-) I know how hard it is to dedicate the time we have so little of today to help others.
Ah well maybe it is because it reinstalls the apps after the update, that would make sense no? lol, sorry I didn't think about it :-P
-
The "Enable/disable" checkbox does what?
If countryblock is enabled, the box is not checked, so i check it and press "apply", countryblock ends disabled.
If cb is disabled, the checkbox is disabled too. checking the box and pressing "apply" cb ends enabled. So is he function of this box as it says "enable/disable" or is there anything running wrong with cb? The checkbox is always not checked.I did a reinstall today due to updating pfSense (2.0 snap, amd64, full install) and the weird interfaces-section is still like before: Only lan has a checkbox, which is checked, the other interfaces don't have any checkboxes. Nor is anything checked. Interfaces.txt still contains "any".
-
I read your previous posts and didn't see this, but could you give us more information about your set up? Is this a virtual machine? What NIC hardware are you using per interface? Are you running other services?
Also about this button that says both "enable/disable", where do you see this? Mine only says "Enable Country block" so with that in mind, by checking it you're enabling it.
It's a little quircky to enable, first you select the countries you want to block, you click commit. After that it writes the information to a file. Then you check the box for "Enable Country Block"
Though this is only useful once you're able to activate it once your WAN interface allows you to check it :-)
The "Enable/disable" checkbox does what?
If countryblock is enabled, the box is not checked, so i check it and press "apply", countryblock ends disabled.
If cb is disabled, the checkbox is disabled too. checking the box and pressing "apply" cb ends enabled. So is he function of this box as it says "enable/disable" or is there anything running wrong with cb? The checkbox is always not checked.I did a reinstall today due to updating pfSense (2.0 snap, amd64, full install) and the weird interfaces-section is still like before: Only lan has a checkbox, which is checked, the other interfaces don't have any checkboxes. Nor is anything checked. Interfaces.txt still contains "any".
-
Also,
/* Go through the list of ports selected by the user, build a list of port-to-interface mappings in portifmap */ conf_mount_rw(); $myFile = "interfaces.txt"; $fh = fopen($myFile, 'w+');this is going to over-write any changes you make to interfaces.txt when you click save/apply or any other modifier that runs that script.
-
I did a reinstall (deinstalled and installed newly), so the enable/disable disappeared and i see now "Enable Country Block" as shown at your pic. Now the checkbox remains checked too. This part is repaired. :-)
Seems to work now as expected.
Its a full install pf 2.0, Mar.10.2011, amd64. Intel nics, using the em-driver.The interfaces-section still is the same as before. Here no change. :-(
-
I saw m0n0wall's version of countryblock_if.php, and it had this line of code which is missing from the countryblock_if.php. Though some of the text came out a bit funky as you can see in the code.
igor do you have an interface with more than one assignment?
/* Deliver error message for any port with more than one assignment */ foreach ($portifmap as $portname => $ifnames) { if (count($ifnames) > 1) { $errstr = "Íø¿¨ " . $portname . "±»Ö¸ÅɸøÁË " . count($ifnames) . "¸ö½Ó¿Ú£º"; foreach ($portifmap[$portname] as $ifn) $errstr .= " " . $ifn; $input_errors[] = $errstr; } } -
@heavy1metal:
I saw m0n0wall's version of countryblock_if.php, and it had this line of code which is missing from the countryblock_if.php. Though some of the text came out a bit funky as you can see in the code.
igor do you have an interface with more than one assignment?
/* Deliver error message for any port with more than one assignment */ foreach ($portifmap as $portname => $ifnames) { if (count($ifnames) > 1) { $errstr = "Íø¿¨ " . $portname . "±»Ö¸ÅɸøÁË " . count($ifnames) . "¸ö½Ó¿Ú£º"; foreach ($portifmap[$portname] as $ifn) $errstr .= " " . $ifn; $input_errors[] = $errstr; } }M0n0wall has a countryblock package?
-
Is there any workaround for that:
Current Status = NOT running
no IP address found for __csrf_magic
You are blocking 0 Networks2.0 RC1 Full install i386 …....
-
Sorry, I just meant they have the equivalent/same interface detection page/script.
also just curious, igor/mst, did either of you rename your WAN interface name? Just curious, not sure if this should make a difference or not.
-
@heavy1metal: yep. My GRE-interface. Its bound to the LAN-interface.
@mst: edit your interfaces.txt. There delete all entries and put in "any" (without ""), nothing more. Then your error disappears.
News about the country-block: yesterday suddenly i was locked out of internet, say, no surfing, mail and so on. First i suspected snort, but it was country-block which blocked all incoming and outgoing traffic. Disabled countryblock because i suspect the weird interfaces-section.