GeoIP blocking problems - Need help, please!


  • Re: GeoIP: Wrong country-continent combinations are permitted?

    I have a related problem for which I could use help.
    I have a security tunnel agent running on my work laptop. It creates tunnel sessions to the proxy in the cloud and internal business systems. Without it, my work laptop cannot function properly. The target IP addresses show in maxmind correctly as USA and assigned to my company:
    165.156.24.100 =US, Canton, Michigan,United States,North America
    165.156.24.115 =US, Canton, Michigan,United States,North America
    165.156.24.79 =US, Canton, Michigan,United States,North America

    However, the agent cannot connect and the firewall shows the traffic blocked due to the auto-rule: pfB_Asia_v4 auto rule (1770008664)
    Capture.JPG

    If I disable (or match) the IP > GeoIP Asia auto rule, all works fine.
    I noticed that in ntopng, one or more of these IPs is assigned to India and I do NOT have India selected in the GeoIP Asia IPv4 list. As a matter of fact, it does not matter if I select or de-select individual countries in that list. The traffic gets blocked.
    Capture2.JPG
    It does not matter if the rules are set to floating nor on the interfaces
    I also cannot find a way to set the GeoIP Asia IPv4 auto rule to block enabled and bypass it for these IP addresses. I have already tried the pfBlockerNG > IP > IPv4 Suppression and this did not work. I also tried manual pass-allow rules above the pfB_Asia_v4 auto rule but these fail because the auto rule ALWAYS resorts above the manual, regardless of any other other settings. I have tried various Firewall 'Auto' Rule Order settings and found them to be unreliable, or too cryptic to my understanding to make some combination work.

    I see multiple issues here:

    • Why is the autorule in pfBlockerNG setting these IP addresses in India (Asia)?

    • Why does individual selections of countries in the GeoIP Asia rule not seem to work? And possibly [probably] others as well?

    • Where or how should one place IP exceptions to allow them to be ignored and pass traffic which might be blocked by the pfBlockerNG?


  • It could be an error in the third party database being downloaded. Or, IPs "move" (https://azure.microsoft.com/en-us/blog/windows-azures-use-of-non-us-ipv4-address-space-in-us-regions/).

    To allow an IP you need a firewall rule above it. What I often do is set up an Alias Native alias and then can use it in whatever NAT or firewall rule I want (which allows ordering). The files are downloaded and stored on disk by country code:
    e21f386f-a1f0-41b8-832f-08634edf26db-image.png
    Remember to run an Update in pfBlocker after creating the entry, to generate the alias.

    As pfBlocker notes you can also default block all, and just allow the desired IPs or countries.