GeoIP rules blocking things not on the list
-
Hey @BBcan177 on my pfSense (2.4.5) I have pfBlocker-devel (latest stable version) setup to block GeoIP top spammer regions but sometimes it blocks regions not even on the list. Why? Thanks!
-
@ex1580
There was a potential issue with decompressing GZ files which was fixed in the last update. It's possible there is a database issue.Try to re-download MaxMind:
php -f /usr/local/pkg/pfblockerng/pfblockerng.php dc
Follow that by restarting the "pfb_filter" service.
-
@BBcan177 said in GeoIP rules blocking things not on the list:
php -f /usr/local/pkg/pfblockerng/pfblockerng.php dc
I executed
php -f /usr/local/www/pfblockerng/pfblockerng.php dcand restarted the pfb_filter service and the issue remains.
-
@ex1580 it will only affect new events, not old events.
-
@BBcan177 Yep, I try to ping the IP and see if it's blocked. It was, by pfB_Top_v4. Ireland is the only false positive I see on the list of blocked GeoIP locations recently.
-
This post is deleted! -
It wasnt the reputation, I just cant seem to read a log file. Doh! Duplicate event count got me.
-
@BBcan177 Yep, this is still happening today. Just wanted to let you know. The old MaxMind was a lot easier to use from the end user perspective.
-
This IP according to MaxMind:
This command is used to collect the GeoIP Country code for the Alerts Tab/Logs
mmdblookup -f /usr/local/share/GeoIP/GeoLite2-Country.mmdb -i 191.232.139.2 country iso_code"IE" <utf8_string>
This is the master MaxMind CSV database entry for that IP Range. Its odd that my MaxMind shows it as a /12 while yours shows it as a /9?
This entry is used to build the individual Country txt files that pfBlockerNG uses for the firewall rules.
grep "191.128.0.0" /usr/local/share/GeoIP/*network,geoname_id,registered_country_geoname_id,represented_country_geoname_id,is_anonymous_proxy,is_satellite_provider
/usr/local/share/GeoIP/GeoLite2-Country-Blocks-IPv4.csv:191.128.0.0/12,3469034,3469034,,0,0This shows "3469034" (Geoname) is BR:
grep "3469034" /usr/local/share/GeoIP/GeoLite2-Country-Locations-en.csvgeoname_id,locale_code,continent_code,continent_name,country_iso_code,country_name,is_in_european_unio
3469034,en,SA,"South America",BR,Brazil,0Country is IE, but its also registered in Brazil, which is a selection that you made with "BR"
If you want more clarity into why MaxMind defined it like this, you can submit a support ticket to see if anything is incorrect with their Database.
The next release of pfBlockerNG will show a little more detail in the Logs. So for this entry in your log, you would still see IE for the ISO code, but also see "BR_v4" as the Feed
Here is the full MaxMind json output:
mmdblookup -f /usr/local/share/GeoIP/GeoLite2-Country.mmdb -i 191.232.139.2{
"continent":
{
"code":
"EU" <utf8_string>
"geoname_id":
6255148 <uint32>
"names":
{
"de":
"Europa" <utf8_string>
"en":
"Europe" <utf8_string>
"es":
"Europa" <utf8_string>
"fr":
"Europe" <utf8_string>
"ja":
"ヨーロッパ" <utf8_string>
"pt-BR":
"Europa" <utf8_string>
"ru":
"Европа" <utf8_string>
"zh-CN":
"欧洲" <utf8_string>
}
}
"country":
{
"geoname_id":
2963597 <uint32>
"is_in_european_union":
true <boolean>
"iso_code":
"IE" <utf8_string>
"names":
{
"de":
"Irland" <utf8_string>
"en":
"Ireland" <utf8_string>
"es":
"Irlanda" <utf8_string>
"fr":
"Irlande" <utf8_string>
"ja":
"アイルランド" <utf8_string>
"pt-BR":
"Irlanda" <utf8_string>
"ru":
"Ирландия" <utf8_string>
"zh-CN":
"爱尔兰" <utf8_string>
}
}
"registered_country":
{
"geoname_id":
3469034 <uint32>
"iso_code":
"BR" <utf8_string>
"names":
{
"de":
"Brasilien" <utf8_string>
"en":
"Brazil" <utf8_string>
"es":
"Brasil" <utf8_string>
"fr":
"Brésil" <utf8_string>
"ja":
"ブラジル連邦共和国" <utf8_string>
"pt-BR":
"Brasil" <utf8_string>
"ru":
"Бразилия" <utf8_string>
"zh-CN":
"巴西" <utf8_string>
}
}
} -
@BBcan177 Well that is definitely an answer! I had no idea that MaxMind thought it was also in Brazil. IDK if this is right or wrong or if I should even be blocking so much in my firewall as there are datacenters all over the world (these are outbound rules) but I dont use Bing and that IP seems to be a Microsoft "bingbot" according to Google. If the next release shows this better in the logs then I am happy. Thanks so much!
Output from those commands on my box.
mmdblookup -f /usr/local/share/GeoIP/GeoLite2-Country.mmdb -i 191.232.139.2 country iso_code "IE" <utf8_string> grep "191.128.0.0" /usr/local/share/GeoIP/* /usr/local/share/GeoIP/GeoLite2-Country-Blocks-IPv4.csv:191.128.0.0/12,3469034,3469034,,0,0 grep "3469034" /usr/local/share/GeoIP/GeoLite2-Country-Locations-en.csv 3469034,en,SA,"South America",BR,Brazil,0 mmdblookup -f /usr/local/share/GeoIP/GeoLite2-Country.mmdb -i 191.232.139.2 { "continent": { "code": "EU" <utf8_string> "geoname_id": 6255148 <uint32> "names": { "de": "Europa" <utf8_string> "en": "Europe" <utf8_string> "es": "Europa" <utf8_string> "fr": "Europe" <utf8_string> "ja": "ヨーロッパ" <utf8_string> "pt-BR": "Europa" <utf8_string> "ru": "Европа" <utf8_string> "zh-CN": "欧洲" <utf8_string> } } "country": { "geoname_id": 2963597 <uint32> "is_in_european_union": true <boolean> "iso_code": "IE" <utf8_string> "names": { "de": "Irland" <utf8_string> "en": "Ireland" <utf8_string> "es": "Irlanda" <utf8_string> "fr": "Irlande" <utf8_string> "ja": "アイルランド" <utf8_string> "pt-BR": "Irlanda" <utf8_string> "ru": "Ирландия" <utf8_string> "zh-CN": "爱尔兰" <utf8_string> } } "registered_country": { "geoname_id": 3469034 <uint32> "iso_code": "BR" <utf8_string> "names": { "de": "Brasilien" <utf8_string> "en": "Brazil" <utf8_string> "es": "Brasil" <utf8_string> "fr": "Brésil" <utf8_string> "ja": "ブラジル連邦共和国" <utf8_string> "pt-BR": "Brasil" <utf8_string> "ru": "Бразилия" <utf8_string> "zh-CN": "巴西" <utf8_string> } } }
