Not understanding this ip block (https://ipinfo.io/AS32934)
-
I have added https://ipinfo.io/AS32934 as a source in both ipv4 and ipv6. The rules look as they should. AS32934 is facebook. Dig facebook.com returns 31.13.69.228 (this time, it changes over time). 31.13.69.0/24 is in the list but facebook.com still loads in a browser. dig facebook.com also often returns 31.13.65.36. Which is explicitly in the list.
Looking at it in IPv6 facebook.com resolves to 2a03:2880:f111:83:face:b00c:0:25de which is explicitly in the ipv6 list.
I'm sure I have it setup correctly, deny_both. (yes. I know but I am just trying things. deny_outbound should have the result I'm looking for)
So, what trickery is at work here? What's going on in the browser that allows facebook.com to load?
Thanks!
Edited to add: I use cloudflare for DNS. I wonder if facebook uses cloudflares cdn which would be ip ranges not in facebooks AS.
I know I could just use tcpdump, but life is short. Later if no one has other ideas.
Edited again to say that 2a03:2880:f103:83:face:b00c:0:25d aka edge-star-mini6-shv-01-iad3.facebook.com is reachable (ping) always. 2a03:2880:f103::/48 is in the block list. Looking at the rules, the ipv6 list (from the ipv6 tab) is an ipv4 rule. I think that is a bug...
One last edit: changed that rule to use ipv6 address family and all is as it should be. Facebook is blocked.
Sorry to have a conversation with myself, I feel a bit foolish. Should have waited until I worked this out before posting.
So, it looks like ipv6 "tab" lists get incorrectly setup as ipv4 rules. And it looks like this has been fixed in the devel version.
-
@jwj said in Not understanding this ip block (https://ipinfo.io/AS32934):
So, it looks like ipv6 "tab" lists get incorrectly setup as ipv4 rules. And it looks like this has been fixed in the devel version.
Yes this is fixed in pfBlockerNG-devel