Country Block



  • With CountryBlock you can block any country you want at the Firewall level. You can optionally block access to as well as access from.

    Info:
    This package uses pf (pfctl) to block country CIDR ranges pulled from http://www.countryipblocks.net/. Each CIDR range is added to a list and processed as a pf table. The table will automatically be added to your Firewall in the background. By default all traffic originating from your selected countries will be blocked. You can can also block access to these countries.
    Tested on 1.2.2, 1.2.3, and 2.0 with FF and Chome. IE not supported.

    Version:
    2.4

    Version Highlights:
    Blocked countries are applied on start-up
    cron job compatible
    Option to log attempts
    Option to block or allow outbound access
    Select all countries checkbox
    Option to specif interfaces
    Total number of blocked networks is reported
    Whitelist CIDR range

    Limits:
    IE does not work with this package.

    How to:
    1. First select the countries you want to block and if you want to block outbound access or log attempts as well.
    2. Press "Commit Countries"
    3. Enable the package and press "Save/Update"

    FAQ:
    Q: How do I know if the list got applied?
    A: The package web interface will display the current status.

    Q: I have the "Enable" check box checked but I don't think its blocking any Countries.
    A: Any Errors will be at the bottom of the page when you press Save/Update

    Q: I just want to block countries that SPAM the most.
    A: The first list includes the Top SPAM'ing countries.

    Q: How do I update the countries?
    A: Press "Save/Update" - keep in mind that countries ranges RARELY change, therefore updating is not necessary.

    Q: I think I can improve your package or add features, how can I help?
    A: Send me a PM

    For troubleshooting see: http://forum.pfsense.org/index.php/topic,25732.msg166474.html#msg166474


  • Banned

    That is just SO nice!!!!

    Thx Tom for all your hard work and dedication to PFSense and making it a lot easier to be an network admin!! :)

    Keep up the good work….. If yhou end up in Denmark by mistake some day, give me a call.....I would be happy to sponsor a shitload of beer.....:D



  • Wow Tom exactly what pfsense needs!



  • Will there be a way to only ALLOW certain countries and deny all others?



  • @killervette:

    Will there be a way to only ALLOW certain countries and deny all others?

    I will add a 'check all box' that way you can check all countries and remove the ones you want to allow.



  • great!  any eta on a release?



  • Soon. (Less than 2 days)

    I have a stable working version that I am testing now.



  • great package idea!


  • Banned

    Has the package been made available for PFsense users via the webgui for install??



  • an info, for pfsense 2.0? when can we DL?



  • will this run on 2.0 beta?  can i block all countries except the US without running into performance/memory issues running an ALIX board?


  • Banned

    Forget I said anything….. ::) :D Mixed up the DNS Blacklist package with the Countryblock package.......

    @killervette:

    will this run on 2.0 beta?  can i block all countries except the US without running into performance/memory issues running an ALIX board?



  • @Supermule:

    Use the whitelist feature instead ;)

    @killervette:

    will this run on 2.0 beta?  can i block all countries except the US without running into performance/memory issues running an ALIX board?

    Im new with pfsense.  Is whitelist a feature in country block? I have not installed it yet since I am on 2.0 beta and wasnt sure if it will work.



  • @killervette:

    will this run on 2.0 beta?  can i block all countries except the US without running into performance/memory issues running an ALIX board?

    If you are running embedded you may; by that I mean I don't test on embedded if that is what you run. As far as ALIX goes you should have almost 0 performance interference from this package.

    This will run on 2.0, 32bit and 64bit. Hopefully a package commit will be completed here soon.



  • So a new guy question, where do i go to install it.  I dont see it in my 1.2.3 package list.



  • Countryblock is now a package!



  • running V123 don't see it in the list.
    I have lusca cache installed Is that Why Maybe?


  • Banned

    I see it in the list…..running 1.2.3. Is there a way to make it keep running even if states and rules change??? Something like a Fire and Forget missile??? :D

    That would be good.....:)



  • When a firewall rule change is made, /tmp/rules.debug is re-generated. The problem is that /tmp/rules.debug isn't written to, its generated. To overcome this my two firewall packages inject the tables and rules into the file and then apply without regenerating.

    If I were to make it so you can fire and forget then I would have to make significant pfsense system changes which would do more harm then good, especially if something were to go wrong.

    What's nice is that it runs on start-up if enabled. With that being said, you can create a cron job to execute the package every hour, or five mins. This would be an easy and safe way of ensuring its running all the time.



  • This package sounds sweet!!! Do you have maybe a writeup on creating the cron job to start the package every hour?


  • Banned

    Thx ever so much for this Tom!!! :)

    @tommyboy180:

    When a firewall rule change is made, /tmp/rules.debug is re-generated. The problem is that /tmp/rules.debug isn't written to, its generated. To overcome this my two firewall packages inject the tables and rules into the file and then apply without regenerating.

    If I were to make it so you can fire and forget then I would have to make significant pfsense system changes which would do more harm then good, especially if something were to go wrong.

    What's nice is that it runs on start-up if enabled. With that being said, you can create a cron job to execute the package every hour, or five mins. This would be an easy and safe way of ensuring its running all the time.



  • Got the package installed on my pfSense 1.2.3-RELEASE on nanobsd.  I've attempted to start this up and I get file system errors trying to write.  What commands do I need to make in order for your package to be able to write its changes?

    Is there not a way to write in a RW filesystem to commit changes then turn it back to Read only?

    BTW, this looks awesome…hope I can use it!



  • Tommy everything works great being able to block China kicks major booty. 80% attempted attacks come from there. I have a question though. What does select/unselect do?



  • @tommyboy180:

    . With that being said, you can create a cron job to execute the package every hour, or five mins. This would be an easy and safe way of ensuring its running all the time.

    To save me some time what syntax do you use for your cron job? I know how to use cron but I am unsure what to run.



  • I selected to block all and then unchecked the basics such as United States and Canada. When I commit and then check enabled and then click save/update. The pfsense box would lockup and nothing was able to flow accross the Internet even though I had United States Unchecked from the block list. I rebooted the pfsense manually and then everything appeared to come up as normal but no access to the IP webgui or Internet. I had to reinstall pfsense. I added the country block package back and only slected the top 10 spammers and that seems to be working ok.

    Any idea on why an all block other than the United States would cause the system to not work at all?

    Thanks,

    Matt



  • @csnf:

    Got the package installed on my pfSense 1.2.3-RELEASE on nanobsd.  I've attempted to start this up and I get file system errors trying to write.  What commands do I need to make in order for your package to be able to write its changes?

    Is there not a way to write in a RW filesystem to commit changes then turn it back to Read only?

    BTW, this looks awesome…hope I can use it!

    I can look further into this, I usually don't support nanobsd because of special exceptions I make.
    The script is getting hung up on creating two files, countries.txt and lists/countries.txt. Perhaps you can make these files and modify the permissions so they cannot be removed.

    @g4m3c4ck:

    Tommy everything works great being able to block China kicks major booty. 80% attempted attacks come from there. I have a question though. What does select/unselect do?

    Select/unselect will check all boxes or uncheck all boxes. Much faster than clicking 200 some countries.

    @g4m3c4ck:

    @tommyboy180:

    . With that being said, you can create a cron job to execute the package every hour, or five mins. This would be an easy and safe way of ensuring its running all the time.

    To save me some time what syntax do you use for your cron job? I know how to use cron but I am unsure what to run.

    The file to run is "/usr/local/etc/rc.d/countryblock.sh"
    For those who need help with cron jobs, there is a cron job package that will give you an easy GUI

    @darklogic:

    I selected to block all and then unchecked the basics such as United States and Canada. When I commit and then check enabled and then click save/update. The pfsense box would lockup and nothing was able to flow accross the Internet even though I had United States Unchecked from the block list. I rebooted the pfsense manually and then everything appeared to come up as normal but no access to the IP webgui or Internet. I had to reinstall pfsense. I added the country block package back and only slected the top 10 spammers and that seems to be working ok.

    Any idea on why an all block other than the United States would cause the system to not work at all?

    Thanks,

    Matt

    Ahh yes Matt. When you checked all countries you checked the Bogon list as well.
    I think I need to take that out! For the mean time you can get into the console of the pfsense box and run this command ""pfctl -t countryblock -T kill""

    Then you will be able to go back into the GUI, uncheck Bogon's and then continue blocking China.



  • Thanks for all your help. :)

    I did your suggestion with the uncheck Bogon and added the cron package and applied the command you specified. All seems to be working well with the Country Block package now. I rebooted my firewall and all came up ok. I did notice I could access some Chinese websites with extensions of .cn

    Does the Country Block work for both IP's and DNS naming or just IP?

    A On the cron job I made the new job entry with this criteria and maybe you have some suggestions or minor tweaks to it.

    Cron Job:

    Minute: 0
    Hour: *
    Mday: *
    Month: *
    Wday: *
    Who: root
    Command:  /usr/local/etc/rc.d/countryblock.sh



  • @darklogic:

    I selected to block all and then unchecked the basics such as United States and Canada. When I commit and then check enabled and then click save/update. The pfsense box would lockup and nothing was able to flow accross the Internet even though I had United States Unchecked from the block list. I rebooted the pfsense manually and then everything appeared to come up as normal but no access to the IP webgui or Internet. I had to reinstall pfsense. I added the country block package back and only slected the top 10 spammers and that seems to be working ok.

    Any idea on why an all block other than the United States would cause the system to not work at all?

    Thanks,

    Ditto.

    For info Im on a 172.31.x.x/24 subnet…   pfSense 1.2.3 full install.  My thought is that my subnet was blocked on the lan side. Consoling in locally still worked.

    Thanks for all the hard work!

    edit=  I see the response now that I missed before...



  • Also, another question is what are the major difference from this package over the IP Block package. I am testing both out and I find the IP Block package to be somewhat misunderstanding on the .gz extension. I go to the ipblocklist.com website and not all the list are using the .gz extension. Also none of the country list seems to use it. They seem to have only .txt files which I am not sure will work. I also noticed countryipblocks.net seems to put all files in either .txt or html list. My question is does Country Block package query from these sources and if so, wouldn't it be more practical to have the list periodically download a fresh copy and store them on the pfsense box locally to save on bandwidth or does that seem to be a stupid question.

    Thanks,

    Matt



  • @darklogic:

    Thanks for all your help. :)

    I did your suggestion with the uncheck Bogon and added the cron package and applied the command you specified. All seems to be working well with the Country Block package now. I rebooted my firewall and all came up ok. I did notice I could access some Chinese websites with extensions of .cn

    Does the Country Block work for both IP's and DNS naming or just IP?

    A On the cron job I made the new job entry with this criteria and maybe you have some suggestions or minor tweaks to it.

    Cron Job:

    Minute: 0
    Hour: *
    Mday: *
    Month: *
    Wday: *
    Who: root
    Command:  /usr/local/etc/rc.d/countryblock.sh

    You will still be able to access blocked countries unless you check 'Block Outbound' as well.

    @darklogic:

    Also, another question is what are the major difference from this package over the IP Block package. I am testing both out and I find the IP Block package to be somewhat misunderstanding on the .gz extension. I go to the ipblocklist.com website and not all the list are using the .gz extension. Also none of the country list seems to use it. They seem to have only .txt files which I am not sure will work. I also noticed countryipblocks.net seems to put all files in either .txt or html list. My question is does Country Block package query from these sources and if so, wouldn't it be more practical to have the list periodically download a fresh copy and store them on the pfsense box locally to save on bandwidth or does that seem to be a stupid question.

    Thanks,

    Matt

    The IP-Blocklist package uses lists of any extension. The only exception is if the list is compressed then .gz is the only supported compressed format.
    Country Block does pull from the site every time you update. The reason is you rarely need to update, but when you do you want it to pull from a live source. Bandwidth shouldn't be an issue, if it is then countries hacking and SPAMing would be the least of your problems.

    Good questions!



  • Also note that Country block take less processing power because it works with CIDRs which is native to pfsense. IP Block uses list per IP which takes more time to process. However, it can have its advantages when you want to block specific types of addresses.



  • I believe I found a problem with Country Block or maybe there is something else I need to uncheck other than bogon. The problem I have right now is if I enable Country Block and run cron to restart it all seems to be ok. You can access the net, people can access our sites from the outside world and life is good, unless you have blackberrys that connect to our exchange server using the RIM services and connecting by and https URL to our hosted server. Mail will flow into our e-mail server like it should but Blackberry seems to have issues logging in over the HTTPS OWA URL to our domain. If I turn Country Block off, then all these e-mails start flooding into the Blackberry's. If I turn the Country Block on, same issue where e-mails will not make it to the Blackberry. I am 110% sure this is being caused by the Country Block after battling it for a few days now. I really do not want to give this amazing features up for the sake of Blackberry's not able to get past it for e-mail.

    Any HELP!!! would be nice or if someone else has noticed this, please let me know.

    Thanks,

    Matt



  • This is the e-mail message that will be sent to our blackberry's directly from Blackberry. We only start to get these messages after Country Block is enabled.

    Message Below:

    This email account is not currently accessible by your BlackBerry device, so you may be experiencing a delay in email delivery. This issue may be caused by a temporary problem with your email provider. BlackBerry Internet Service will continue attempting to access this account.


  • Banned

    Do these phones use blocked country DNS or hosting ??



  • our domain name service provider is through network solutions. We reside in the US. I am not sure how you would be able to track down multiple DNS servers that the Blackberry's would end up using. I would image that our DNS servers are ok since browsing of our site and recieve incoming SMTP seems to be working ok, which would use our DNS. This problem seems to be somewhere along the lines of affecting BlackBerry devices that are connecting over owa using the Blackberry RIM service. Example of connection https://mail.ourdomain.com/owa

    As far as knowing if they are hitting out of US DNS servers, I am not really sure how to find that out.

    Thanks,

    Matt


  • Banned

    Try to traceroute the traffic from the blackberry. Could be so that they use a subvendor for specific traffic and he is located in one of the blocked countries.





  • dpg2

    This was very helpful. I went to the countrysipblocks.net and checked the IP's by CIDR, and it looks as if all BlackBerry service goes to either United Kingdom or Canada, mostly Canada. And yes I have both of them blocked. I did not try a trace route yet. I am supprised to see that it appears all BlackBerry servers our not in the States, not one at all??? So if this is totally accurate how would I allow only those CIDRS and block the rest of the Country?

    Thanks,

    Matt



  • Research in Motion is a Canadian company with its headquarters in Waterloo, Ontario.

    I guess you need an 'allow' rule for the Blackberry blocks ahead of the 'deny' rules that the Country Block package puts in place. I'm not sure how flexible the Country Block package is for that sort of thing.

    I believe the 'URL Table Aliases' package may offer a solution since the address blocks can be handled as aliases and governed by rules directly in the web interface. Perhaps you could share a Blackberry IP list from an internal server (or the pfsense box itself) and access it via a local URL (or just add the BB blocks to a regular alias, there aren't that many of them), and do the same with a list copied from countrysipblocks.net.



  • I can not get country block to stay running for the life of me. I have cron running the script every five minutes and I know it is executing because I have the its output logged to a temporary file and the timestamp is correct. It seems to be working but it always says "not running" in red.


Locked