GeoIP Blocking

SteveITS

@ronpfs said in GeoIP Blocking:

pfBlockerNG-devel

Ah, sorry, I had trouble with pfBlockerNG and the new MaxMind so we switched all our clients to pfBlockerNG-devel. I wasn't even thinking about the package.

It kept losing the MaxMind key overnight.
https://forum.netgate.com/topic/149343/pfblockerng-maxmind-registration-required-to-continue-to-use-the-geoip-functionality/49

The package maintainer has recommended in the forums to use -devel anyway. I am not sure why there are two at this point...? If you uninstall pfBlockerNG and install pfBlockerNG-devel it will import settings.

A Former User

This post is deleted!

SteveITS

The warning is so that you don't run an update while an update is already running. Since your update is 59 minutes away, it's safe to go ahead. Aggiorna I assume is "update" so pick that and click Run.

Or wait 59 minutes and it will run an update on its own. :)

RonpfS

@teamits Active pfBlockerNG CRON JOB normally means there is an update running on the box.

Inspect pfblockerNG.log file to see what is happening

A Former User

@ronpfs yes, but he always does it and doesn't let me update after the time runs out, the stopwatch always starts again
and manual updating doesn't

RonpfS

@antonio-briguglio What are you seeing in pfblockerng.log?

A Former User

@teamits how do you put a website blocking warning web page when blocking countries?

RonpfS

@antonio-briguglio said in GeoIP Blocking:

@teamits how do you put a website blocking warning web page when blocking countries?

You can't.
You use the Alerts tab to see what is blocked on the IP side.

SteveITS

@ronpfs said in GeoIP Blocking:

Active pfBlockerNG CRON JOB normally means there is an update running on the box

Yeah, missed that giant red label. It's been a long day.

It sounds like pfBlockerNG is set to check for updates every hour? So it should have updated already.

A Former User

@ronpfs so I want that when a customer for example visits a web page in Turkey that I have blocked that a web page is displayed where it warns that the site is blocked instead of the classic internet page not available

RonpfS

@antonio-briguglio Not possible with IP blocking. Maybe other package like Squid or something similar could do that.

A Former User

@ronpfs i have squid but does it block geoips?

RonpfS

@antonio-briguglio said in GeoIP Blocking:

i have squid but does it block geoips?

I don't know, I don't use Squid.

Gertjan

@antonio-briguglio said in GeoIP Blocking:

so I want that when a customer for example visits a web page in Turkey that I have blocked that a web page is displayed where it warns that the site is blocked instead of the classic internet page not available

That's what called 'doing MITM'.
You can't (it's very hard).
See here for why not.

If the sites visited were 'http' only the redirection would be easy. https can't be redirected.

A Former User

@ronpfs Hi!
I set up geoips on PfblokerNg.
I tried to block a country of Africa Algeria, two countries of Europe, Germany and Sweden and one of Oceania, New Zealand, blocking the inbound and outbound connections. I type in a site from Algeria and it blocks it I type in a site from Germany and it blocks it and so far everything is ok.
But then when I go to type more sites of the countries that I have blocked here is the surprise the sites as if by magic are no longer blocked they are visible.
Why does this happen? is there a maximum number of consultation?
Then in some countries that I have set the block I have noticed for example that blocking four countries in Europe three out of four blocks one no.
Finally, in the log files trying to block, for example, Algeria in Africa, the site is blocked but the log file shows Europe and not Africa. Help

A Former User

@teamits so I want that when a customer for example visits a web page in Turkey that I have blocked that a web page is displayed where it warns that the site is blocked instead of the classic internet page not available

That's what called 'doing MITM'.
You can't (it's very hard).
See here for why not.

If the sites visited were 'http' only the redirection would be easy. https can't be redirected

RonpfS

@antonio-briguglio It is also possible to put domain like .ru in TLD Blacklist. But that's won't block a .net domain using RU ASN.

A Former User

@ronpfs but I don't understand why after for example 5 interregations sites no longer block them is it normal?

RonpfS

@antonio-briguglio GeoIP isn't always accurate. I block TOP Spammer from RU, RU_rep, CN and CN_rep, but sometimes the Alerts Tab will report another country. That is because the network is in two countries files.

Example for a block of 45.146.165.149 is reported as GB_v4 45.146.164.0/23.

grep "45\.146\.16" /usr/local/share/GeoIP/cc/*v4.txt
/usr/local/share/GeoIP/cc/DE_v4.txt:45.146.16.0/21
/usr/local/share/GeoIP/cc/Europe_v4.txt:45.146.160.0/22
/usr/local/share/GeoIP/cc/Europe_v4.txt:45.146.167.0/24
/usr/local/share/GeoIP/cc/Europe_v4.txt:45.146.168.0/23
/usr/local/share/GeoIP/cc/Europe_v4.txt:45.146.164.0/23
/usr/local/share/GeoIP/cc/Europe_v4.txt:45.146.166.0/24
/usr/local/share/GeoIP/cc/Europe_v4.txt:45.146.164.0/23
/usr/local/share/GeoIP/cc/Europe_v4.txt:45.146.166.0/24
/usr/local/share/GeoIP/cc/Europe_v4.txt:45.146.16.0/21
/usr/local/share/GeoIP/cc/GB_v4.txt:45.146.164.0/23
/usr/local/share/GeoIP/cc/GB_v4.txt:45.146.166.0/24
/usr/local/share/GeoIP/cc/LT_v4.txt:45.146.160.0/22
/usr/local/share/GeoIP/cc/RU_rep_v4.txt:45.146.164.0/23
/usr/local/share/GeoIP/cc/RU_rep_v4.txt:45.146.166.0/24
/usr/local/share/GeoIP/cc/RU_v4.txt:45.146.167.0/24
/usr/local/share/GeoIP/cc/RU_v4.txt:45.146.168.0/23

RonpfS

@antonio-briguglio said in GeoIP Blocking:

@ronpfs but I don't understand why after for example 5 interregations sites no longer block them is it normal?

It shouldn't be normal. Investigate the pfblockerNG log files, firewall logs etc to debug what is happening.