Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfBlocker, blocking the wrong countries

    pfBlockerNG
    4
    8
    654
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • IsaacFLI
      IsaacFL
      last edited by

      I have set up an alias to block the Top Spammers, as below:

      Annotation 2020-04-21 095324.png

      But I am noticing in the pfblocker Alerts that Ireland is also getting blocked.

      When I look at the pfB_Top_v4.orig vs the pfB_Top_v4.txt, I see that there are alot of subnets being added from seemingly random. The particular one being blocked, that is in Ireland is 191.232.139.2 which is within 191.192.0.0/10

      Here is the relevant section of pfB_Top_v4.orig

      185.175.100.0/22
185.200.210.0/23
185.203.36.0/22
185.217.120.0/23
185.217.122.0/24
188.131.128.0/17
188.213.218.128/25
188.240.211.0/25
192.55.46.0/24
192.55.68.0/22
192.102.204.0/23
192.124.154.0/24
192.140.128.0/21
192.140.136.0/22
192.140.156.0/22
192.140.160.0/19
192.140.192.0/20
192.140.208.0/21
192.144.128.0/17
192.167.1.1/32

      You can see it jumps from 188 subnet to 192 subnet.

      However when I go to the alias file, pfB_Top_v4.txt I see many 191 subnets, including the one from Ireland added.

      191.96.135.16/28
191.96.135.32/27
191.96.135.64/26
191.96.137.16/28
191.96.137.64/26
191.96.137.136/29
191.96.139.16/28
191.96.141.128/25
191.96.142.128/25
191.96.144.128/25
191.96.146.128/25
191.96.147.128/25
191.96.169.64/26
191.96.169.128/25
191.96.171.64/26
191.96.171.128/25
191.96.173.64/26
191.96.173.128/25
191.96.175.64/26
191.96.175.128/25
191.96.181.64/26
191.96.181.128/25
191.96.183.16/28
191.96.183.64/26
191.96.248.128/25
191.96.249.0/25
191.96.249.128/29
191.96.249.137
191.96.249.138/31
191.96.249.140/30
191.96.249.144/28
191.96.249.160/27
191.96.249.192/26
191.101.18.28/30
191.101.18.32/28
191.101.18.48/29
191.101.18.56/31
191.101.18.128/25
191.101.19.64/26
191.101.19.128/25
191.101.20.0/24
191.101.42.0/24
191.101.62.0/24
191.101.64.0/28
191.101.96.0/28
191.101.135.0/24
191.101.136.128/25
191.101.137.128/25
191.101.138.128/25
191.101.139.128/25
191.101.144.192/26
191.101.145.192/26
191.101.190.0/24
191.101.252.0/24
191.120.0.0/14
191.128.0.0/12
191.160.0.0/11
191.192.0.0/10
192.2.232.0/24
192.12.112.0/22
192.16.41.0/24
192.16.42.0/24
192.29.128.0/20
      J GertjanG 2 Replies Last reply Reply Quote 0
      • J
        jdeloach @IsaacFL
        last edited by

        @IsaacFL said in pfBlocker, blocking the wrong countries:

        I have set up an alias to block the Top Spammers, as below:

        But I am noticing in the pfblocker Alerts that Ireland is also getting blocked.

        When I look at the pfB_Top_v4.orig vs the pfB_Top_v4.txt, I see that there are alot of subnets being added from seemingly random. The particular one being blocked, that is in Ireland is 191.232.139.2 which is within 191.192.0.0/10

        You can see it jumps from 188 subnet to 192 subnet.

However when I go to the alias file, pfB_Top_v4.txt I see many 191 subnets, including the one from Ireland added.

        Yes there are known issues with the GEOIP country databases. This is one of the drawbacks to blocking countries.

        There is a procedure for submitting corrections to these databases, but it can take months, even years to get internet registry group to make corrections, if ever.

        IsaacFLI 1 Reply Last reply Reply Quote 0
        • IsaacFLI
          IsaacFL @jdeloach
          last edited by

          @jdeloach it is not the database. That was why I showed the original file and the alias file.

          It is getting hosed up going from the original downloaded file to the alias file.

          1 Reply Last reply Reply Quote 0
          • GertjanG
            Gertjan @IsaacFL
            last edited by

            @IsaacFL said in pfBlocker, blocking the wrong countries:

            Here is the relevant section of pfB_Top_v4.orig

            My /var/db/pfblockerng/original/pfB_Top_v4.orig file downloaded April 14 :

            Starting at line 4293 :

            185.217.120.0/23
185.217.122.0/24
188.131.128.0/17
188.213.218.128/25
188.240.211.0/25
192.55.46.0/24
192.55.68.0/22
192.102.204.0/23
192.124.154.0/24
192.140.128.0/21
192.140.136.0/22
192.140.156.0/22
192.140.160.0/19
192.140.192.0/20
192.140.208.0/21
192.144.128.0/17
192.167.1.1/32

            Now, go to line 14056 :

            191.96.22.0/28
191.96.67.0/24
191.96.249.0/25
191.96.249.128/29
191.96.249.137/32
191.96.249.138/31
191.96.249.140/30
191.96.249.144/28
191.96.249.160/27
191.96.249.192/26
191.101.42.0/24
191.101.64.0/28
191.101.96.0/28
191.101.190.0/24

            pfBlockerNG-devel just sorted the list ;)

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            IsaacFLI 1 Reply Last reply Reply Quote 0
            • IsaacFLI
              IsaacFL @Gertjan
              last edited by

              @Gertjan It looks like it might as well be a random list of IPs so no wonder I was getting false positives. I see in your list Spain, Germany, etc.

              I was only using pfblocker for the GEOIP, so I just uninstalled and did URL tables from lists from a different source.

              bmeeksB 1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks @IsaacFL
                last edited by bmeeks

                @IsaacFL said in pfBlocker, blocking the wrong countries:

                @Gertjan It looks like it might as well be a random list of IPs so no wonder I was getting false positives. I see in your list Spain, Germany, etc.

                I was only using pfblocker for the GEOIP, so I just uninstalled and did URL tables from lists from a different source.

                Because of the exhaustion of IPv4 address space, there is now a large market of "horse trading" among the owners of big IPv4 blocks where they are carving up some of their unused blocks and selling them or "leasing them" to other smaller operators around the world for a tidy sum. And in turn, those guys act as middlemen and turn around and resell to still smaller operators and so on. The GeoIP databases have a hard time keeping up with this free-market capitalism, and as a result they are starting to become less accurate. Or at the very least they lag behind with updates - sometimes way, way behind.

                And beyond the legal horse trading market, there are a few unscrupulous operators that search for currently unused blocks other guys might have and just basically "steal them" by registering a route for them and beginning to use them. I have seen some news stories on a few IT Security sites describing these shenanigans.

                IsaacFLI 1 Reply Last reply Reply Quote 1
                • IsaacFLI
                  IsaacFL @bmeeks
                  last edited by

                  @bmeeks maybe someone who is using pfblocker more than I, could verify if that is really the case.

                  This is a /10 owned by Microsoft in Ireland so a pretty big error in the data base.

                  I know it was pointed out that the orig file was not in numerical order, but at least the csv file I downloaded from Maxmind, was in numerical order so I expected the country extraction would also have resulted in something also in numerical order.

                  But i didn’t spend much time on it so could have been something I did wrong.

                  bmeeksB 1 Reply Last reply Reply Quote 0
                  • bmeeksB
                    bmeeks @IsaacFL
                    last edited by

                    @IsaacFL said in pfBlocker, blocking the wrong countries:

                    @bmeeks maybe someone who is using pfblocker more than I, could verify if that is really the case.

                    This is a /10 owned by Microsoft in Ireland so a pretty big error in the data base.

                    I know it was pointed out that the orig file was not in numerical order, but at least the csv file I downloaded from Maxmind, was in numerical order so I expected the country extraction would also have resulted in something also in numerical order.

                    But i didn’t spend much time on it so could have been something I did wrong.

                    Sorry, but I don't use pfBlocker. I was just responding to the general issue of GeoIP inaccuracies. This effects things other than just pfBlocker.

                    My personal opinion is that GeoIP is slowly losing its utility due to these errors.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.