Not understanding this ip block (https://ipinfo.io/AS32934)



  • I have added https://ipinfo.io/AS32934 as a source in both ipv4 and ipv6. The rules look as they should. AS32934 is facebook. Dig facebook.com returns 31.13.69.228 (this time, it changes over time). 31.13.69.0/24 is in the list but facebook.com still loads in a browser. dig facebook.com also often returns 31.13.65.36. Which is explicitly in the list.

    Looking at it in IPv6 facebook.com resolves to 2a03:2880:f111:83:face:b00c:0:25de which is explicitly in the ipv6 list.

    I'm sure I have it setup correctly, deny_both. (yes. I know but I am just trying things. deny_outbound should have the result I'm looking for)

    So, what trickery is at work here? What's going on in the browser that allows facebook.com to load?

    Thanks!

    Edited to add: I use cloudflare for DNS. I wonder if facebook uses cloudflares cdn which would be ip ranges not in facebooks AS.

    I know I could just use tcpdump, but life is short. Later if no one has other ideas.

    Edited again to say that 2a03:2880:f103:83:face:b00c:0:25d aka edge-star-mini6-shv-01-iad3.facebook.com is reachable (ping) always. 2a03:2880:f103::/48 is in the block list. Looking at the rules, the ipv6 list (from the ipv6 tab) is an ipv4 rule. I think that is a bug...

    One last edit: changed that rule to use ipv6 address family and all is as it should be. Facebook is blocked.

    Sorry to have a conversation with myself, I feel a bit foolish. Should have waited until I worked this out before posting.

    So, it looks like ipv6 "tab" lists get incorrectly setup as ipv4 rules. And it looks like this has been fixed in the devel version.


  • Moderator

    @jwj said in Not understanding this ip block (https://ipinfo.io/AS32934):

    So, it looks like ipv6 "tab" lists get incorrectly setup as ipv4 rules. And it looks like this has been fixed in the devel version.

    Yes this is fixed in pfBlockerNG-devel


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy