can't get GeoIP to work
-
I am using pfSense 2.4.4-RELEASE-p3. A few days ago I installed pfBlockerNG 2.1.4_22. I am trying to block IPs by country.
I have setup a free MaxMind account and put the key in. On the pfBlockerNG General page, I clicked the checkbox for Enable pfBlockerNG. I checked the box for Global Logging. Inbound Firewall Rules is set to WAN and Block, and Outbound Firewall Rules is set to LAN and Reject. Rule Order is | pfB_Block/Reject | All other Rules | (original format).
I've gone to pfBlockerNG->Firewall->GeoIP and blocked every country in each continent, except the countries I do want (United States, India, and New Zealand). On each continent page I set the List Action to Deny Inbound. I clicked Save on each continent page, and then went to the Update tab and did a Force Update.
It doesn't work at all - I still get lots of international traffic. The pfBlocker widget on the Dashboard page lists 0 in the packets column for every continent. Going to System Logs->Firewall does not show anything related to the recent pfBlocker setup. All it has is a bunch of "block bogon IPv6 networks from WAN (11000)" entries, the most recent of which is 5/28/2020.
I have gone to Diagnostics->Command Prompt and entered "/usr/local/www/pfblockerng/pfblockerng.php dc" (quotes included) in the Execute PHP Commands box, as I saw suggested on another friend. It gave me a blank PHP Response.
I also went to System->Advanced, Firewall & NAT and set the Firewall Maximum Table Entries to 600000 (was 400000).
Here is the output of the most recent Force Update I've done:
UPDATE PROCESS START [ 06/02/20 15:52:36 ] Clearing all DNSBL Feeds... ** DNSBL Disabled ** ===[ Continent Process ]============================================ MaxMind Database downloading and processing ( approx 4MB ) ... Please wait ... Download Process Starting [ 06/02/20 15:52:36 ] /usr/local/share/GeoIP/GeoLite2-Country.tar.gz 200 OK . /usr/local/share/GeoIP/GeoLite2-Country-CSV.zip 200 OK Download Process Ended [ 06/02/20 15:52:37 ] Country code update Start Converting MaxMind Country databases for pfBlockerNG. Processing ISO IPv4 Continent/Country Data Processing ISO IPv6 Continent/Country Data [ 06/02/20 15:52:45 ] Creating pfBlockerNG Continent XML files IPv4 Africa [ 06/02/20 15:52:48 ] IPv6 Africa IPv4 Antarctica IPv6 Antarctica IPv4 Asia IPv6 Asia [ 06/02/20 15:52:49 ] IPv4 Europe [ 06/02/20 15:52:50 ] IPv6 Europe [ 06/02/20 15:52:52 ] IPv4 North America [ 06/02/20 15:52:53 ] IPv6 North America [ 06/02/20 15:52:54 ] IPv4 Oceania [ 06/02/20 15:52:55 ] IPv6 Oceania IPv4 South America IPv6 South America IPv4 Proxy and Satellite IPv6 Proxy and Satellite IPv4 TOP 20 IPv6 TOP 20 pfBlockerNG Reputation Tab Country Code Update Ended [ 06/02/20 15:52:56 ] [ pfB_Africa_v4 ] exists. [ 06/02/20 15:52:56 ] [ pfB_Africa_v6 ] exists. [ pfB_Asia_v4 ] exists. [ pfB_Asia_v6 ] exists. [ pfB_Europe_v4 ] exists. [ pfB_Europe_v6 ] exists. [ pfB_NAmerica_v4 ] exists. [ pfB_NAmerica_v6 ] exists. [ pfB_Oceania_v4 ] exists. [ pfB_Oceania_v6 ] exists. [ pfB_SAmerica_v4 ] exists. [ pfB_SAmerica_v6 ] exists. ===[ Aliastables / Rules ]========================================== No changes to Firewall rules, skipping Filter Reload No Changes to Aliases, Skipping pfctl Update UPDATE PROCESS ENDED
I also have two notices showing up (the bell at the top-right of the screen). They are:
Filter Reload There were error(s) loading the rules: /tmp/rules.debug:33: cannot define table pfB_Europe_v4: Cannot allocate memory - The line in question reads [33]: table <pfB_Europe_v4> persist file "/var/db/aliastables/pfB_Europe_v4.txt" @ 2020-06-02 13:47:53 There were error(s) loading the rules: /tmp/rules.debug:33: cannot define table pfB_Europe_v4: Cannot allocate memory - The line in question reads [33]: table <pfB_Europe_v4> persist file "/var/db/aliastables/pfB_Europe_v4.txt" @ 2020-06-02 14:55:14
Does anyone have any ideas for what I should do for troubleshooting?
-
What hardware / how much RAM does it have?
Perhaps try allowing those three countries rather than blocking all other IPs? (might be a smaller list to fit into RAM) -
Thanks for the response. It is running in a virtual machine. The Dashboard reports the CPU type as Intel(R) Xeon(R) CPU E5-2690 v3 @ 2.60GHz and every time I check it shows 29% of 1951 MiB RAM used.
I think you have a good suggestion. I can change those Deny Inbound settings on the different continents to Allow Inbound just for the three countries, but how will that stop the other countries? We have several ports open (80, 443, and 22, off the top of my head). Do I set a Deny All somewhere, and only then set the Allow Inbounds for the 3 countries? How do I do that.
Thanks for your help!
-
The "cannot define table" is the firewall table size, e.g. https://forum.netgate.com/topic/45603/cannot-define-table-bogonsv6-cannot-allocate-memory
Adding all countries to a deny rule would be essentially loading every IP subnet in the world (minus the three).
We've generally used geo blocking on clients with NAT but it should be similar setup for just firewall rules. We set up an alias native table:
Simply change the country code letters for other countries. The files exist on disk.Then in the NAT rule the Source is the pfB alias (type pfB and it will autocomplete).
In other words:
allow US
allow India
allow New Zealand
(default deny rule will deny all others) -
the package maintainer's suggestion (BBcan177) for a long time is to use pfBlockerNG - devel (current - 2.2.5_32)
there are plenty of fixes in it (also applies to GeoIP)BTW: this also applies to the pfSense version (2.4.5)