GeoIP database missing US ISP IP range
-
pfBlockerNG-devel 3.1.0_11
"...Its also not recommended to block the "world", instead consider rules to "Permit" traffic to/from selected Countries only.
Also consider protecting just the specific open WAN ports and its just as important to protect the outbound LAN traffic. .."I have tried Alias Permit. Unfortunately, this didn't work for me.
GeoIP US doesn't include Optimum Online IP range (my ISP).
The GeoIP database needs to be 100% accurate to use " ... instead consider rules to "Permit" traffic to/from selected Countries only ..."
-
@lk777 said in GeoIP database missing US ISP IP range:
The GeoIP database needs to be 100% accurate to use "
Not sure where you got that idea from - but that is never going to be the case.. And sure won't be with IPv6..
So I find this - which network do you say is not in US listing?
https://tools.tracemyip.org/search--isp/optimum+online
edit: I just looked up 2 IPv4 IPs that you connected to forum with that both show optimum via whois, and they are for sure listed in the US listing in geoIP for US that is downloaded with pfblocker..
edit2: also looked up the IPv6 you connected with, and while that doesn't show being optimum, it does show via geoIP to be a US based IP from a different carrier. Your phone maybe?
Maybe if you actual said what your trying to do that is not working, and we can work out why..
-
@lk777 if I (vaguely) remember correctly, alias permit deduplicates the lists but also omits IPs if it is used in another alias? Try alias native.
-
@steveits ,
Actually, that was Alias Native, sorry.
I have created that alias via IP4 with GeoIP format. On the GeoIP tab directly I have enabled only top spammers and proxies. I think pfBlockerNG is utilizing GeoIPlite which most likely doesn't include all ISP ip ranges. -
@johnpoz ,
I am on 69.20.0.0/16 (optimum). And the result US,CA ip list (aliastable) doesn't include this range.
Regarding GeoIP and 100% accuracy, how can we utilize this database for allow/permit purposes as a source for NAT rules to allow access from the selected countries to the open ports on WAN, if it doesn't include all ISP IP ranges? -
@lk777 That IP is in there.
But that is not your isp space.. that is owned by rackspace
NetRange: 69.20.0.0 - 69.20.127.255 CIDR: 69.20.0.0/17 NetName: RSPC-NET-4 NetHandle: NET-69-20-0-0-1 Parent: NET69 (NET-69-0-0-0-0) NetType: Direct Allocation OriginAS: AS10532, AS33070, AS19994, AS27357 Organization: Rackspace Hosting (RACKS-8)Your isp owns this space for example
NetRange: 69.112.0.0 - 69.127.255.255 CIDR: 69.112.0.0/12 NetName: NETBLK-OOL-6BLK NetHandle: NET-69-112-0-0-1 Parent: NET69 (NET-69-0-0-0-0) NetType: Direct Allocation OriginAS: AS6148 Organization: Optimum Online (OPTO)Your IP that you talk to the forum is in that space - its not in a 69.20/16
And both of those ranges are in the geoio db that pfblocker downloads for US space..
You understand it condenses down ranges the so might not always be a exact cidr match, but your isp space in that range is included in that 69.112/12 (69.112.0.0 - 69.127.255.255) and that other US space you mention that is not your isp, is also included..
As to it being 100% accurate - you understand IP space moves around right.. Global companies, IP space is rented and sold, transferred to other companies... There is no freaking way its 100%
https://support.maxmind.com/hc/en-us/articles/4407630607131-Geolocation-Accuracy
It is not possible for us to guarantee 100% geolocation accuracy.
