Country vs Registered country
-
Re: PfBlockerNG GeoIP lists show multiple lines for each country
Hello,
New here, very far away from being a guru, I will try to explain my problem in english (french being my main language).
I have a PFsense +pfblockerNG on which I am blocking all countries but France and USA. On my computer I am using a Mullvad VPN and of course I'm trying my new settings by changing my Mullvad locations and it's giving me weird results so I tried many things and discovered that Mullvad IP's have completely different "country" and "registered country" in the GeoLite database, for example:For an "irish IP (I just kept the relevant data, structure is broken)
curl -u "828775:0au8b6IiuePAFPpT"
"https://geolite.info/geoip/v2.1/country/me?pretty"
"country": {
"is_in_european_union": true,
"iso_code": "IE",
"geoname_id": 2963597,
"names": {
"en": "Ireland"
"registered_country": {
"is_in_european_union": true,
"iso_code": "RO",
"geoname_id": 798549,
"names": {
"en": "Romania"For a swiss IP the country is Switzerland but the registered country is Sweden, for a US IP the country is USA but the registered country is United Kingdom and so on ... even if I choose a french IP, country is France but registered country is Sweden (home of Mullvad by the way)
I guess my first question: which one, "country" or "registered country" is using pfblockerNG when I choose to block Ireland for ex ?
Now on my pfblockerNG, as I said I blocked the whole world by doing "Deny both" on absolutely all the 9 lines in GeoIP summary and then I unchecked just France + France_rep (in Europa) and USA + USA_rep (in North America) to allow these 2 countries ... result is weird: without my VPN I can access my server behind the firewall, if I activate my VPN, I cannot access anything if I choose a french location, a US location, a swiss location but if I choose the irish location, I am back accessing the server ...
So my first explanation was the pfblockerNG was using the registered country which would explain that forbidding by country name with the VPN would return unexpected result but the test with Ireland did broke that reasoning (because registered country for Ireland is Romania which is also supposedly blocked) and I am at lost to find a logical explanation ...
I read that blocking the whole world is note the best way of doing things (I should maybe instead permit France and USA ?) but nevertheless I really would like to understand what I am doing wrong here ...
Thks for listening,
Pierre -
@pierr0t IPv4 address blocks are often sold and resold. Therefore the location data changes over time. If you look up an IP on something like iplocation.net (random site) it uses multiple databases and I find sometimes all of them agree, and other times the answers are wildly different. We do have a client with a Calyptix router, where someone in Ireland was detected as a French IP so we had to allow France (or at least that IP, I don't recall).
I would hope MaxMind would use the location where the IP is, rather than who owns/registered it? I do not know specifically. Sorry I am not much help there.
re: blocking the world:
-
block all but one country: all IPs are loaded into your firewall's RAM and compared to each packet
-
allow one country: only one country's IPs are loaded into your firewall
That's why allowing is usually more efficient.
-
-
Thanks for reading and answering.
To explain a little bit more: the results I gave are from querying the GeoLite database from MaxMind, so to answer your question, Maxmind does not choose, it gives all the information, both "country" and "registered country" and even "represented country" (as explained in the thread I used as a reference to start this one).
Now what I am wondering is what does pfblockerNG do with that info. When I ask to block "Ireland" how does pfblockerNG get IP's from Ireland ? It collects all IP's with "Ireland IR" in "country" or all IP's with "Ireland IR" in "registered country" ... I guess this a choice made by pfblockerNG not Maxmind unless I am totally misunderstanding the process ...
Of course if pfblockerNG is using the later (registered country), testing through that kind of VPN becomes impossible, I would have to allow Romania to authorize Switzerland, not very practical.Thanks !
Pierre -
Hello,
I made some more tests.
For example, using my Mulvad VPN I choose a swiss location in Zürich, the provided IP is: 193.32.127.221
If I query Maxmind Geolite 2 I get:
- country: CH (Switzerland)
- registered_country: SE (Sweden)
In pfBlockerNG, if I authorize only Switzerland, I'm blocked, if I authorize Sweden I can go through ...
Conclusion: pfBlockerNG is using the "registered_country" to authorize countries but should use "country" which reflects in a more reliable way the country where the IP is used ... not the country where the IP was purchased ...
Am I understanding the things properly ?
Thanks.
Pierre. -
@pierr0t said in Country vs Registered country:
Am I understanding the things properly ?
If your understanding is that geoip info is changing target and no db is going to be 100% accurate then yeah your understanding it correct ;)
But sure in such a scenario as your example it would be better to use the country vs registered - but does every IP in the db provide this info? I would think not.. But maybe @BBcan177 could make some adjustments to use country if provided?
-
@pierr0t said in Country vs Registered country:
Conclusion: pfBlockerNG is using the "registered_country" to authorize countries but should use "country" which reflects in a more reliable way the country where the IP is used ... not the country where the IP was purchased ...
But what happens if company XYZ buys a block of address space and uses some of it elsewhere, Maxmind don't know what's used where ?
Andy
1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22
-
@nogbadthebad said in Country vs Registered country:
Maxmind don't know what's used where ?
Not right away that is for sure - we sold off some of our /16 space while back, and it was now being used in the middle east vs the US.. And it did take a while for that info to get updated. To be honest I would have to check - maybe its still wrong ;)
-
@johnpoz said in Country vs Registered country:
@nogbadthebad said in Country vs Registered country:
Maxmind don't know what's used where ?
Not right away that is for sure - we sold off some of our /16 space while back, and it was now being used in the middle east vs the US.. And it did take a while for that info to get updated. To be honest I would have to check - maybe its still wrong ;)
Indeed I used to work for a company that had xx.0.0.0/8 and now some of it is used by Microsoft.
-
@nogbadthebad I just checked, and the first range that was sold is updated to the new company and country looks correct from what I remember being told where the IPs were going to be used just in conversation when the sale was taking place.
But it was sold if in multiple different size blocks, so would have to check some other ranges to see if they are all up to date.
While in general - I think a really good attempt is made to be correct.. But there are always going to be inconsistencies to be found
-
@pierr0t said in Country vs Registered country:
Now on my pfblockerNG, as I said I blocked the whole world by doing "Deny both" on absolutely all the 9 lines in GeoIP summary and then I unchecked just France + France_rep (in Europa) and USA + USA_rep (in North America) to allow these 2 countries ... result is weird: without my VPN I can access my server behind the firewall, if I activate my VPN, I cannot access anything if I choose a french location, a US location, a swiss location but if I choose the irish location, I am back accessing the server ...
Don't block the whole world using pfBlocker alias, create a rule to deny all and above create a rule to allow what you want using a pfBlocker alias.
If you deny all with a pfblocker alias you'll have a massive alias that every packet will need to traverse.
-
Hello,
Well it seems that Maxmind does know pretty well, I tested a lot of the IP's provided by the Mulvad VPN and Maxmind is always returning the proper "country" (ie "country" shows the country where Mulvad pretends to be for that IP and a site like iplocation.net does as well), but Maxmind does also return the "registered_country" which seems to be where the IP was originaly purchased and there is also (but not always) a "represented_country" (used when the IP address belongs to something like a military base) ...
But to summarize, I think that pfBlockerNG should use "country" and not "registered_country" to reflect where the IP is really used. In my case I had to authorize "Sweden" to be able to use an IP used in Zürich Switzerland.Pierre.
-
@pierr0t Care to share a few of the ip addresses you checked against?
-
For example the one I am currently using, Mulvad VPN Zürich Switzerland, this is the answer from GeoLite:
curl -u "xxxxxxx:xxxxxxxxx" \ "https://geolite.info/geoip/v2.1/country/193.32.127.221?pretty" { "continent": { "code": "EU", "geoname_id": 6255148, "names": { "ru": "Европа", "zh-CN": "欧洲", "de": "Europa", "en": "Europe", "es": "Europa", "fr": "Europe", "ja": "ヨーロッパ", "pt-BR": "Europa" } }, "country": { "iso_code": "CH", "geoname_id": 2658434, "names": { "pt-BR": "Suíça", "ru": "Швейцария", "zh-CN": "瑞士", "de": "Schweiz", "en": "Switzerland", "es": "Suiza", "fr": "Suisse", "ja": "スイス連邦" } }, "registered_country": { "is_in_european_union": true, "iso_code": "SE", "geoname_id": 2661886, "names": { "ja": "スウェーデン王国", "pt-BR": "Suécia", "ru": "Швеция", "zh-CN": "瑞典", "de": "Schweden", "en": "Sweden", "es": "Suecia", "fr": "Suède" } }, "traits": { "ip_address": "193.32.127.221", "network": "193.32.127.0/24" } }%Mulvad tells me I am in Switzerland but I have to authorize Sweden to go through pfBlockerNG :-)
Pierre -
Regarding this specific remark (about denying all and just authorizing specific country): I know, I just have to do it ... but it's a very low traffic firewall so I'm in no hurry ...
Pierre.
-
andyk@mac-pro ~ % whois 193.32.127.221 % IANA WHOIS server % for more information on IANA, visit http://www.iana.org % This query returned 1 object refer: whois.ripe.net inetnum: 193.0.0.0 - 193.255.255.255 organisation: RIPE NCC status: ALLOCATED whois: whois.ripe.net changed: 1993-05 source: IANA # whois.ripe.net inetnum: 193.32.127.0 - 193.32.127.255 netname: NET-31173-193-32-127 country: CH geoloc: 47.3631 8.5414 language: de descr: 31173 Services AB infrastructure in Zurich, Switzerland. org: ORG-SS1087-RIPE admin-c: SS36127-RIPE tech-c: SS36127-RIPE abuse-c: SS36127-RIPE status: ASSIGNED PA mnt-by: ESAB-MNT created: 2020-05-04T09:36:06Z last-modified: 2020-05-05T11:40:13Z source: RIPE organisation: ORG-SS1087-RIPE org-name: 31173 Services Switzerland org-type: OTHER geoloc: 47.3631 8.5414 language: de address: 31173 Services AB address: c/o Interxion address: S?gereistrasse 35 address: Glattbrugg address: 8152 Opfikon address: Switzerland admin-c: SS36127-RIPE tech-c: SS36127-RIPE mnt-by: ESAB-MNT mnt-ref: ESAB-MNT created: 2020-05-04T09:00:26Z last-modified: 2020-05-05T11:29:32Z source: RIPE # Filtered role: 31173 Services Switzerland address: 31173 Services AB address: c/o Interxion address: S?gereistrasse 35 address: Glattbrugg address: 8152 Opfikon address: Switzerland abuse-mailbox: abuse-cust-ch@31173.se admin-c: NEMO1-RIPE tech-c: KPE-RIPE nic-hdl: SS36127-RIPE mnt-by: ESAB-MNT created: 2020-05-04T08:48:30Z last-modified: 2020-05-04T08:48:30Z source: RIPE # Filtered % Information related to '193.32.127.0/24AS39351' route: 193.32.127.0/24 origin: AS39351 mnt-by: ESAB-MNT created: 2019-11-03T16:35:41Z last-modified: 2020-05-04T09:37:52Z source: RIPE % This query was served by the RIPE Database Query Service version 1.106.1 (ABERDEEN) andyk@mac-pro ~ %Go here and pop in the IP address or AS number:-
https://hackertarget.com/as-ip-lookup/
The whois reports Services AB infrastructure in Zurich, Switzerland and the IP/ASN reports ESAB-AS, SE.
When you do the AS number it reports 193.32.127.0/24 as belonging to ESAB-AS, SE to the right.
Looks to me like its a Swedish company hosting a server in Switzerland.
-
Yes exactly, IP is being used in Switzerland but was purchased in Sweden (Mulvad being a swedish company).
Maxmind reports it properly, the question is how does pBlockerNG use that info, for me it should use the "country" info instead of the "registered_country" info ... but I guess that only the author of pfBlockerNG could tell me if my diagnostic is true or not.
Pierre
-
@pierr0t If BBCan177 doesn't find this thread you could create a bug/feature request at redmine.pfsense.org. If it's not a bug, possibly it could be added as a separate list like "rep" is separate, although it would basically double the size of the existing "all IPs in ___" list if they are listed twice and people allow two. A bit more flexible but more confusing.
IOW does the Swedish company just happen to put their servers in a data center in Switzerland and they are using it? Is a particular block from an ISP that works across borders? Many possibilities.
Allowing your own IP is a bit easier...can be done for one, if you create a dynamic DNS hostname and allow the hostname.
-
@nogbadthebad You could maybe use the providers ASN number, they only use 4 providers in Switzerland:-
-
Yes but at the same time, it's not really me, it's pfBlockerNG ... I understand I could create rules using the ASN but if I use pfBlockerNG it would be nice if they were using "country" instead of "registered_country" ... Anyway I will try to open a feature request/bug as suggested by @SteveITS :-)
Thks.
Pierre -
