Issue with pfBlocker GEOIP

Abramelin · Feb 9, 2024, 11:20 PM

Hello, guys!
Can someone help me with this issue?
The problem is that I'm trying to add countries in GEOIP block and enable it, but when I click on the IP tab and IPV4, this tab doesn't show the rules to be enabled.
🔒 Log in to view
🔒 Log in to view
🔒 Log in to view

I have checked the list of the GEOIPs using /usr/local/share/GeoIP/cc/, and I can see that some lists have no IP inside. So, I think that my issue is at this step, but I don't know how to force this update properly or if something in my firewall is blocking any MaxMind repository.

I'm thinking of excluding all files from /usr/local/share/GeoIP/cc/ and trying to recreate it again with cron.

Have you guys already faced this issue? If the answer is yes, what was the solution that you applied to it?

johnpoz · Feb 10, 2024, 1:30 AM

@Abramelin Not exactly sure what your hoping to accomplish.. But little advice, its much easier to allow than to try and block everything else..

I use geoip aliases to allow inbound into my services I have open to the public, but I limit it to US ips.. and some others that I have created.

This is much smaller list than trying to block the planet.

🔒 Log in to view

Abramelin · Feb 10, 2024, 1:30 AM

@johnpoz Thanks sir i will do that!

SteveITS · Feb 10, 2024, 2:08 AM

@Abramelin I’d think this problem would apply to pfBlocker as well:
https://forum.netgate.com/topic/186065/heads-up-new-suricata-7-0-3-package-is-coming-soon
…might need an update to it.

tieskekiggen · Feb 28, 2024, 8:53 AM

@SteveITS
I have the same issue as the TS with GeoIP.
The link to the post you sent gives me access denied even though I am logged into the forum.
🔒 Log in to view
What was the problem/fix given therein?
Thanks in advance!

johnpoz · Feb 28, 2024, 10:36 AM

@tieskekiggen that post was deleted because it was release, here is the release notes

https://forum.netgate.com/topic/186071/suricata-package-v7-0-3-available-here-are-the-release-notes

tieskekiggen · Feb 28, 2024, 11:03 AM

@johnpoz
Thanks for the reply.
But I don't think that is the issue because the lists are downloading to the system and contain IP information.
🔒 Log in to view
It seems to be an issue in pfBlocker.
This is a fresh installation of pfBlocker on the machine.
I've put all continents on deny inbound except Europe.
🔒 Log in to view
After an update/reload the aliases for the continents are not created, but the default block list is working.
🔒 Log in to view
Any idea what it could be?

johnpoz · Feb 28, 2024, 11:30 AM

@tieskekiggen I already went over my suggestion.. You shouldn't be trying to block the world.. If all you want to allow is EU, then just allow that..

There is little point to blocking the whole planet, when there is a default deny.. If you do not allow it, its blocked anyway. Create your rules with the allow in them. See my screenshot above.

tieskekiggen · Feb 28, 2024, 11:42 AM

@johnpoz
Yes I understand that, when I get it working, I will implement it differently too. This was purely for testing.
But the problem I am running into now is that the aliases it is supposed to create are not creating.
Hence my question as to how it could be that it doesn't work.
It seems to be nothing with the MaxMind license because I see the downloaded files in the /usr/local/share/GeoIP folder. Only pfBlocker is not creating the needed aliases.

johnpoz · Feb 28, 2024, 11:54 AM

@tieskekiggen look in your table to validate the alias is populated.

🔒 Log in to view

tieskekiggen · Feb 28, 2024, 12:18 PM

@johnpoz
Found the issue, I didn't choose the countries within the continent.
Therefore, it was not creating the alias.
Thanks for your quick responses anyway!