GeoIP Showing Unk

LordZohar

Re: All alerts showing as unk country code.. help

Hi all,

I'm trying to set up pfBlockerNG to deny access to certain countries. Everything seems to be working (I can see alerts when things are blocked, firewall aliases and rules are created etc.) but the alerts show everything in the GeoIP column as "Unk":

I've read through several other posts and tried various suggestions such as restarting the pfb_filter service after the first download of MaxMind and executing some php commands in the shell to force downloads/updates but nothing seems to be working. It's not a show-stopper for me as the rules are working as intended, but it would be nice to get to the bottom of it and see some proper data in the reports area, so I'd be grateful for any advice.

Thanks in advance and keep up the excellent work on the product!

LZ

Bob.Dig

@lordzohar Do you have a working MaxMind License Key?

LordZohar

@bob-dig Yes, MaxMind seems to have gone through OK and the logs show the database downloads OK.


The key was generated for 3.1.1 or newer, but I can make and apply a new one if you think the license key is the problem?

Bob.Dig

@lordzohar said in GeoIP Showing Unk:

if you think the license key is the problem?

No, it was only a wild guess on my side.

manu77

@lordzohar
Hello
I m also concerned on 2 different install but same version . I looked for a solution but without any success.

jdeloach

@lordzohar said in GeoIP Showing Unk:

Re: All alerts showing as unk country code.. help

Hi all,

I'm trying to set up pfBlockerNG to deny access to certain countries. Everything seems to be working (I can see alerts when things are blocked, firewall aliases and rules are created etc.) but the alerts show everything in the GeoIP column as "Unk":

I'm seeing this too. I'm using pfSense 2.6.0 and have noticed this behavior on several of the last versions of pfBlockerNG. I haven't said anything because it has not been that important to me, but it is an issue that folks that use GeoIP most likely would like to see fixed.

I've also noticed that the date for MaxMind updates more frequently than it use to. It use to only update once a month, but now it updates several times a month. Don't know if that is an issue or not, just something different I've noticed.

serbus

Hello!

Running PfB 3.1.0_9 on 22.05...

The code to update the GeoLite2-Country.mmdb file appears to be broken. This probably causes to the mmdblookup to fail and results in the Unk.

When the .mmdb file is missing (i.e. new install, nuked GeoIP files, etc...) , the update process will download a new GeoLite2-Country.tar.gz.
This download seems to work, but the code around lines 4103-4104 in pfblockerng.inc does not properly extract the mmdb file from the tar.gz.

exec("/usr/bin/tar -xzf {$file_dwn_esc} --strip=1 -C {$pfb['geoipshare']} >/dev/null 2>&1");

Returns :

tar: Error opening archive: Failed to open '/usr/local/share/GeoIP/GeoLite2-Country.tar.gz.raw'

Looks like it could be renaming and then trying to process the wrong file...?

Without the mmdb present, the update process will continually try to download and process the GeoLite2-Country.tar.gz file.

To fix, manually extract the mmdb file.

cd /usr/local/share/GeoIP
/usr/bin/tar -xzf GeoLite2-Country.tar.gz --strip=1

This should get you by until the the first Tuesday of next month...

...or the Unk could be from some other problem...

John

michmoor

@serbus has the maintainer commented on this? Good find !
I would open a redmine

johan333

@serbus Thank you for finding this as it resolved the issue for me as I can now see the country code in the GeoIP column under the Reports tab of pfBlockerNG. I did have to perform the command as root due to permissions, but it was successful. Cheers!

LordZohar

@serbus Sorry for the delay, I've been away over the holiday period. I checked my pfSense installation and the mmdb file already existed, so I renamed it and extracted it again as per the command in your post. After restarting the pfBlockerNG service I started to see country codes appearing in the alerts. I'm still getting the occasional UNK but I'm guessing this must be for some other reason - great find, thank you very much!

manu77

Hello all,

I m also confirming now is is OK. I didn't reload the Pfblockerng and country code were already here just after untaring!
A big thanks to Serbus !

BBcan177

@serbus said in GeoIP Showing Unk:

Thanks for the report. The problem is that $file_dwn_esc should be $file_download. Will get this fixed in the next version.

exec("/usr/bin/tar -xzf {$file_dwn_esc} --strip=1 -C {$pfb['geoipshare']} >/dev/null 2>&1");