Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    maxmind -- do i need it for mysite?

    pfBlockerNG
    2
    4
    337
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tross9
      last edited by

      first the History, then the questions.

      I have a private Home website, it is for the family only, all of whom are in the U.S.
      I found that there were IPs that were accessing the site from Turkey, Asia , South America.
      I had two options,
      1) allow only the IPs of the family members
      con: as the internet server provider will sometimes change the IP of the family, that means updating the 'allow ip' often. ( my IP has changed three time in one year)
      2) use GEOIP. ( which I did.)

      Question:

      1. If I "Disable MaxMind CSV database Updates " what risk do I run,

      would I be allowing IPs that were inside the U.S. and are now outside the U.S to access my site? ( I assume that would be a rare case )

        as mentioned, my IP was changed and one IP that we got was a IP that used to be some where in Europe, and google thought we were in Europe, till the IP was update to the U.S.   ( it was buy by our service provider when they need more)

      Next Question:
      I want to block all external , non requested, traffic (i.e. port sniffers, pings, etc...) , only allow replies my requests.
      2) is the only way to do this is with GEOIP?
      ex. i dont want someone in Asia to access my PC, but if I need to buy something from Asia I would need that site to reply to my browser's request.

      Tia

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        Using pfblocker geoip blocks on your port forward rules, has nothing to do with your outbound traffic from clients behind pfsense.

        If you want to even get the geoip db from maxmind now I believe you need to setup maxmind account. Unless it uses old data by default.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        1 Reply Last reply Reply Quote 0
        • T
          tross9
          last edited by tross9

          @johnpoz said in maxmind -- do i need it for mysite?:

          Unless it uses old data by default.

          for the outbound -- that is what I understood, I just needed to know if it was still the case.

          for the Old data -- i'm just concerned that a U.S. IP address will be move to Outside the U.S. thus allowing outside the U.S. to possibly gain access. but I think that is Highly unlikely, only possible if a company goes out of business and their IP is sold.

          so basically , I think I can just ignore the log message that I need a maxmind License.
          unless someone has a reason that I'll have a security issue if I don't get the license.

          Thanks.

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by johnpoz

            @tross9 said in maxmind -- do i need it for mysite?:

            Outside the U.S. thus allowing outside the U.S. to possibly gain access. but I think that is Highly unlikely, only possible if a company goes out of business and their IP is sold.

            No that is not true at all - IPs are exchanged all the time.. Company does not have to go out of business. We recently sold off some IPs out of your /16, those IPs are now outside the US.

            What if company X has locations in countries A B and C.. And now is using some of their IP space in B vs A, etc.

            Geoip data is updated all the time. While it at first entry might just use the companies HQ that is in country X, at some point they determine that IP range xyz while owned by company in country A, is actually used in country B, etc..

            Lets be clear - the geoip database is a lets call it best guess at best ;)

            But if your concerned with only allowing IPs from XYZ via geoip data. Then it behooves you to make sure list of IPs your using is current. A maxmind account is free, while the data might not be perfect.. Using the current data is going to be more accurate then using old data.

            Even using the best and latest to the minute geoip data doesn't mean its correct.. If you are concerned with who can access your resource you have opened to the public. The best solution is to use their IPs, and only allow those.

            While I understand that can become problematic - especially with users that have no idea IP even is ;) If your concerned - get them to setup a ddns for their connection. Then use that ddns for your alias and only allow that.

            I do this for my son's connection. I manage his network remotely via his unifi devices (router and ap) being part of my controller... For that to happen they need to talk to my controller. I sure and the hell would not open my controller to the public internet, even I could limit the IPs to be on his block ;) let alone his city or country.. So I setup to only allow his IP, which sure changes now and then. So I use his ddns in the alias..

            iplist.png

            But for example my plex server - my users access this not only from their homes, but from their mobile devices.. It not really possible to know for sure what IP they might come from.. But I sure do not want to open that up to the whole internet. So I lock it down to only the countries they should be coming from.. So I use the listings for those.. Currently only US, but a buddies son was working in Honduras for a while - and so it was allowing US and Honduras, etc..

            The geoip listings can be useful.. But if the data is dated, its going to be less useful than current data.

            If my friends and family were more tech savy I would lock down their plex server access to only vpn access. But that is a pipe dream to expect normal users how to do that, and sure and the hell not going to spend the time to manage all of their devices and networks to use vpn to access my network. So I do atleast something to limit who can access my plex server. Be it far from perfect or optimally secure setup, etc.

            edit: Here I ran across this just a bit ago in my browsing.. This is perfect example of how things get messed up with geoip dbs
            https://www.reddit.com/r/networking/comments/k61a5j/geolocation_issue/

            The NL company has a location in the US, they got a line in the US and IP from the isp - but for some reason this ip is showing from the NL for geoip, etc..

            This sort of thing happens all the time - and yes it can be a real pain the ass to get corrected.. I had a /24 from our /16 that was showing up as being from vietnam... Tried for months to get it corrected.. That IP range had never been used in vietnam, and clearly anyone doing a simple traceroute could see it was in florida..

            It was causing issues with users accessing some stuff that was doing geoip filtering, like banks and stuff..

            Just more example of why if you want to do geoip filtering, there will be mistakes in the db. And you should use current a db as possible.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.