Issue with pfBlocker GEOIP

johnpoz · Feb 10, 2024, 1:30 AM

@Abramelin Not exactly sure what your hoping to accomplish.. But little advice, its much easier to allow than to try and block everything else..

I use geoip aliases to allow inbound into my services I have open to the public, but I limit it to US ips.. and some others that I have created.

This is much smaller list than trying to block the planet.

login-to-view

Abramelin · Feb 10, 2024, 1:30 AM

@johnpoz Thanks sir i will do that!

SteveITS · Feb 10, 2024, 2:08 AM

@Abramelin I’d think this problem would apply to pfBlocker as well:
https://forum.netgate.com/topic/186065/heads-up-new-suricata-7-0-3-package-is-coming-soon
…might need an update to it.

tieskekiggen · Feb 28, 2024, 8:53 AM

@SteveITS
I have the same issue as the TS with GeoIP.
The link to the post you sent gives me access denied even though I am logged into the forum.
login-to-view
What was the problem/fix given therein?
Thanks in advance!

johnpoz · Feb 28, 2024, 10:36 AM

@tieskekiggen that post was deleted because it was release, here is the release notes

https://forum.netgate.com/topic/186071/suricata-package-v7-0-3-available-here-are-the-release-notes

tieskekiggen · Feb 28, 2024, 11:03 AM

@johnpoz
Thanks for the reply.
But I don't think that is the issue because the lists are downloading to the system and contain IP information.
login-to-view
It seems to be an issue in pfBlocker.
This is a fresh installation of pfBlocker on the machine.
I've put all continents on deny inbound except Europe.
login-to-view
After an update/reload the aliases for the continents are not created, but the default block list is working.
login-to-view
Any idea what it could be?

johnpoz · Feb 28, 2024, 11:30 AM

@tieskekiggen I already went over my suggestion.. You shouldn't be trying to block the world.. If all you want to allow is EU, then just allow that..

There is little point to blocking the whole planet, when there is a default deny.. If you do not allow it, its blocked anyway. Create your rules with the allow in them. See my screenshot above.

tieskekiggen · Feb 28, 2024, 11:42 AM

@johnpoz
Yes I understand that, when I get it working, I will implement it differently too. This was purely for testing.
But the problem I am running into now is that the aliases it is supposed to create are not creating.
Hence my question as to how it could be that it doesn't work.
It seems to be nothing with the MaxMind license because I see the downloaded files in the /usr/local/share/GeoIP folder. Only pfBlocker is not creating the needed aliases.

johnpoz · Feb 28, 2024, 11:54 AM

@tieskekiggen look in your table to validate the alias is populated.

login-to-view

tieskekiggen · Feb 28, 2024, 12:18 PM

@johnpoz
Found the issue, I didn't choose the countries within the continent.
Therefore, it was not creating the alias.
Thanks for your quick responses anyway!