Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Country Block

    pfSense Packages
    79
    691
    275413
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tommyboy180 last edited by

      With CountryBlock you can block any country you want at the Firewall level. You can optionally block access to as well as access from.

      Info:
      This package uses pf (pfctl) to block country CIDR ranges pulled from http://www.countryipblocks.net/. Each CIDR range is added to a list and processed as a pf table. The table will automatically be added to your Firewall in the background. By default all traffic originating from your selected countries will be blocked. You can can also block access to these countries.
      Tested on 1.2.2, 1.2.3, and 2.0 with FF and Chome. IE not supported.

      Version:
      2.4

      Version Highlights:
      Blocked countries are applied on start-up
      cron job compatible
      Option to log attempts
      Option to block or allow outbound access
      Select all countries checkbox
      Option to specif interfaces
      Total number of blocked networks is reported
      Whitelist CIDR range

      Limits:
      IE does not work with this package.

      How to:
      1. First select the countries you want to block and if you want to block outbound access or log attempts as well.
      2. Press "Commit Countries"
      3. Enable the package and press "Save/Update"

      FAQ:
      Q: How do I know if the list got applied?
      A: The package web interface will display the current status.

      Q: I have the "Enable" check box checked but I don't think its blocking any Countries.
      A: Any Errors will be at the bottom of the page when you press Save/Update

      Q: I just want to block countries that SPAM the most.
      A: The first list includes the Top SPAM'ing countries.

      Q: How do I update the countries?
      A: Press "Save/Update" - keep in mind that countries ranges RARELY change, therefore updating is not necessary.

      Q: I think I can improve your package or add features, how can I help?
      A: Send me a PM

      For troubleshooting see: http://forum.pfsense.org/index.php/topic,25732.msg166474.html#msg166474

      -Tom Schaefer
      SuperMicro 1U 2X Intel pro/1000 Dual Core Intel 2.2 Ghz - 2 Gig RAM

      Please support pfBlocker | File Browser | Strikeback

      1 Reply Last reply Reply Quote 0
      • S
        Supermule Banned last edited by

        That is just SO nice!!!!

        Thx Tom for all your hard work and dedication to PFSense and making it a lot easier to be an network admin!! :)

        Keep up the good work….. If yhou end up in Denmark by mistake some day, give me a call.....I would be happy to sponsor a shitload of beer.....:D

        1 Reply Last reply Reply Quote 0
        • G
          g4m3c4ck last edited by

          Wow Tom exactly what pfsense needs!

          1 Reply Last reply Reply Quote 0
          • K
            killervette last edited by

            Will there be a way to only ALLOW certain countries and deny all others?

            1 Reply Last reply Reply Quote 0
            • T
              tommyboy180 last edited by

              @killervette:

              Will there be a way to only ALLOW certain countries and deny all others?

              I will add a 'check all box' that way you can check all countries and remove the ones you want to allow.

              -Tom Schaefer
              SuperMicro 1U 2X Intel pro/1000 Dual Core Intel 2.2 Ghz - 2 Gig RAM

              Please support pfBlocker | File Browser | Strikeback

              1 Reply Last reply Reply Quote 0
              • K
                killervette last edited by

                great!  any eta on a release?

                1 Reply Last reply Reply Quote 0
                • T
                  tommyboy180 last edited by

                  Soon. (Less than 2 days)

                  I have a stable working version that I am testing now.

                  -Tom Schaefer
                  SuperMicro 1U 2X Intel pro/1000 Dual Core Intel 2.2 Ghz - 2 Gig RAM

                  Please support pfBlocker | File Browser | Strikeback

                  1 Reply Last reply Reply Quote 0
                  • M
                    mastablastaz last edited by

                    great package idea!

                    1 Reply Last reply Reply Quote 0
                    • S
                      Supermule Banned last edited by

                      Has the package been made available for PFsense users via the webgui for install??

                      1 Reply Last reply Reply Quote 0
                      • S
                        simby last edited by

                        an info, for pfsense 2.0? when can we DL?

                        1 Reply Last reply Reply Quote 0
                        • K
                          killervette last edited by

                          will this run on 2.0 beta?  can i block all countries except the US without running into performance/memory issues running an ALIX board?

                          1 Reply Last reply Reply Quote 0
                          • S
                            Supermule Banned last edited by

                            Forget I said anything….. ::) :D Mixed up the DNS Blacklist package with the Countryblock package.......

                            @killervette:

                            will this run on 2.0 beta?  can i block all countries except the US without running into performance/memory issues running an ALIX board?

                            1 Reply Last reply Reply Quote 0
                            • K
                              killervette last edited by

                              @Supermule:

                              Use the whitelist feature instead ;)

                              @killervette:

                              will this run on 2.0 beta?  can i block all countries except the US without running into performance/memory issues running an ALIX board?

                              Im new with pfsense.  Is whitelist a feature in country block? I have not installed it yet since I am on 2.0 beta and wasnt sure if it will work.

                              1 Reply Last reply Reply Quote 0
                              • T
                                tommyboy180 last edited by

                                @killervette:

                                will this run on 2.0 beta?  can i block all countries except the US without running into performance/memory issues running an ALIX board?

                                If you are running embedded you may; by that I mean I don't test on embedded if that is what you run. As far as ALIX goes you should have almost 0 performance interference from this package.

                                This will run on 2.0, 32bit and 64bit. Hopefully a package commit will be completed here soon.

                                -Tom Schaefer
                                SuperMicro 1U 2X Intel pro/1000 Dual Core Intel 2.2 Ghz - 2 Gig RAM

                                Please support pfBlocker | File Browser | Strikeback

                                1 Reply Last reply Reply Quote 0
                                • K
                                  killervette last edited by

                                  So a new guy question, where do i go to install it.  I dont see it in my 1.2.3 package list.

                                  1 Reply Last reply Reply Quote 0
                                  • T
                                    tommyboy180 last edited by

                                    Countryblock is now a package!

                                    -Tom Schaefer
                                    SuperMicro 1U 2X Intel pro/1000 Dual Core Intel 2.2 Ghz - 2 Gig RAM

                                    Please support pfBlocker | File Browser | Strikeback

                                    1 Reply Last reply Reply Quote 0
                                    • A
                                      Alan87i last edited by

                                      running V123 don't see it in the list.
                                      I have lusca cache installed Is that Why Maybe?

                                      1 Reply Last reply Reply Quote 0
                                      • S
                                        Supermule Banned last edited by

                                        I see it in the list…..running 1.2.3. Is there a way to make it keep running even if states and rules change??? Something like a Fire and Forget missile??? :D

                                        That would be good.....:)

                                        1 Reply Last reply Reply Quote 0
                                        • T
                                          tommyboy180 last edited by

                                          When a firewall rule change is made, /tmp/rules.debug is re-generated. The problem is that /tmp/rules.debug isn't written to, its generated. To overcome this my two firewall packages inject the tables and rules into the file and then apply without regenerating.

                                          If I were to make it so you can fire and forget then I would have to make significant pfsense system changes which would do more harm then good, especially if something were to go wrong.

                                          What's nice is that it runs on start-up if enabled. With that being said, you can create a cron job to execute the package every hour, or five mins. This would be an easy and safe way of ensuring its running all the time.

                                          -Tom Schaefer
                                          SuperMicro 1U 2X Intel pro/1000 Dual Core Intel 2.2 Ghz - 2 Gig RAM

                                          Please support pfBlocker | File Browser | Strikeback

                                          1 Reply Last reply Reply Quote 0
                                          • D
                                            darklogic last edited by

                                            This package sounds sweet!!! Do you have maybe a writeup on creating the cron job to start the package every hour?

                                            1 Reply Last reply Reply Quote 0
                                            • S
                                              Supermule Banned last edited by

                                              Thx ever so much for this Tom!!! :)

                                              @tommyboy180:

                                              When a firewall rule change is made, /tmp/rules.debug is re-generated. The problem is that /tmp/rules.debug isn't written to, its generated. To overcome this my two firewall packages inject the tables and rules into the file and then apply without regenerating.

                                              If I were to make it so you can fire and forget then I would have to make significant pfsense system changes which would do more harm then good, especially if something were to go wrong.

                                              What's nice is that it runs on start-up if enabled. With that being said, you can create a cron job to execute the package every hour, or five mins. This would be an easy and safe way of ensuring its running all the time.

                                              1 Reply Last reply Reply Quote 0
                                              • C
                                                csnf last edited by

                                                Got the package installed on my pfSense 1.2.3-RELEASE on nanobsd.  I've attempted to start this up and I get file system errors trying to write.  What commands do I need to make in order for your package to be able to write its changes?

                                                Is there not a way to write in a RW filesystem to commit changes then turn it back to Read only?

                                                BTW, this looks awesome…hope I can use it!

                                                1 Reply Last reply Reply Quote 0
                                                • G
                                                  g4m3c4ck last edited by

                                                  Tommy everything works great being able to block China kicks major booty. 80% attempted attacks come from there. I have a question though. What does select/unselect do?

                                                  1 Reply Last reply Reply Quote 0
                                                  • G
                                                    g4m3c4ck last edited by

                                                    @tommyboy180:

                                                    . With that being said, you can create a cron job to execute the package every hour, or five mins. This would be an easy and safe way of ensuring its running all the time.

                                                    To save me some time what syntax do you use for your cron job? I know how to use cron but I am unsure what to run.

                                                    1 Reply Last reply Reply Quote 0
                                                    • D
                                                      darklogic last edited by

                                                      I selected to block all and then unchecked the basics such as United States and Canada. When I commit and then check enabled and then click save/update. The pfsense box would lockup and nothing was able to flow accross the Internet even though I had United States Unchecked from the block list. I rebooted the pfsense manually and then everything appeared to come up as normal but no access to the IP webgui or Internet. I had to reinstall pfsense. I added the country block package back and only slected the top 10 spammers and that seems to be working ok.

                                                      Any idea on why an all block other than the United States would cause the system to not work at all?

                                                      Thanks,

                                                      Matt

                                                      1 Reply Last reply Reply Quote 0
                                                      • T
                                                        tommyboy180 last edited by

                                                        @csnf:

                                                        Got the package installed on my pfSense 1.2.3-RELEASE on nanobsd.  I've attempted to start this up and I get file system errors trying to write.  What commands do I need to make in order for your package to be able to write its changes?

                                                        Is there not a way to write in a RW filesystem to commit changes then turn it back to Read only?

                                                        BTW, this looks awesome…hope I can use it!

                                                        I can look further into this, I usually don't support nanobsd because of special exceptions I make.
                                                        The script is getting hung up on creating two files, countries.txt and lists/countries.txt. Perhaps you can make these files and modify the permissions so they cannot be removed.

                                                        @g4m3c4ck:

                                                        Tommy everything works great being able to block China kicks major booty. 80% attempted attacks come from there. I have a question though. What does select/unselect do?

                                                        Select/unselect will check all boxes or uncheck all boxes. Much faster than clicking 200 some countries.

                                                        @g4m3c4ck:

                                                        @tommyboy180:

                                                        . With that being said, you can create a cron job to execute the package every hour, or five mins. This would be an easy and safe way of ensuring its running all the time.

                                                        To save me some time what syntax do you use for your cron job? I know how to use cron but I am unsure what to run.

                                                        The file to run is "/usr/local/etc/rc.d/countryblock.sh"
                                                        For those who need help with cron jobs, there is a cron job package that will give you an easy GUI

                                                        @darklogic:

                                                        I selected to block all and then unchecked the basics such as United States and Canada. When I commit and then check enabled and then click save/update. The pfsense box would lockup and nothing was able to flow accross the Internet even though I had United States Unchecked from the block list. I rebooted the pfsense manually and then everything appeared to come up as normal but no access to the IP webgui or Internet. I had to reinstall pfsense. I added the country block package back and only slected the top 10 spammers and that seems to be working ok.

                                                        Any idea on why an all block other than the United States would cause the system to not work at all?

                                                        Thanks,

                                                        Matt

                                                        Ahh yes Matt. When you checked all countries you checked the Bogon list as well.
                                                        I think I need to take that out! For the mean time you can get into the console of the pfsense box and run this command ""pfctl -t countryblock -T kill""

                                                        Then you will be able to go back into the GUI, uncheck Bogon's and then continue blocking China.

                                                        -Tom Schaefer
                                                        SuperMicro 1U 2X Intel pro/1000 Dual Core Intel 2.2 Ghz - 2 Gig RAM

                                                        Please support pfBlocker | File Browser | Strikeback

                                                        1 Reply Last reply Reply Quote 0
                                                        • D
                                                          darklogic last edited by

                                                          Thanks for all your help. :)

                                                          I did your suggestion with the uncheck Bogon and added the cron package and applied the command you specified. All seems to be working well with the Country Block package now. I rebooted my firewall and all came up ok. I did notice I could access some Chinese websites with extensions of .cn

                                                          Does the Country Block work for both IP's and DNS naming or just IP?

                                                          A On the cron job I made the new job entry with this criteria and maybe you have some suggestions or minor tweaks to it.

                                                          Cron Job:

                                                          Minute: 0
                                                          Hour: *
                                                          Mday: *
                                                          Month: *
                                                          Wday: *
                                                          Who: root
                                                          Command:  /usr/local/etc/rc.d/countryblock.sh

                                                          1 Reply Last reply Reply Quote 0
                                                          • chpalmer
                                                            chpalmer last edited by

                                                            @darklogic:

                                                            I selected to block all and then unchecked the basics such as United States and Canada. When I commit and then check enabled and then click save/update. The pfsense box would lockup and nothing was able to flow accross the Internet even though I had United States Unchecked from the block list. I rebooted the pfsense manually and then everything appeared to come up as normal but no access to the IP webgui or Internet. I had to reinstall pfsense. I added the country block package back and only slected the top 10 spammers and that seems to be working ok.

                                                            Any idea on why an all block other than the United States would cause the system to not work at all?

                                                            Thanks,

                                                            Ditto.

                                                            For info Im on a 172.31.x.x/24 subnet…   pfSense 1.2.3 full install.  My thought is that my subnet was blocked on the lan side. Consoling in locally still worked.

                                                            Thanks for all the hard work!

                                                            edit=  I see the response now that I missed before...

                                                            Triggering snowflakes one by one..

                                                            1 Reply Last reply Reply Quote 0
                                                            • D
                                                              darklogic last edited by

                                                              Also, another question is what are the major difference from this package over the IP Block package. I am testing both out and I find the IP Block package to be somewhat misunderstanding on the .gz extension. I go to the ipblocklist.com website and not all the list are using the .gz extension. Also none of the country list seems to use it. They seem to have only .txt files which I am not sure will work. I also noticed countryipblocks.net seems to put all files in either .txt or html list. My question is does Country Block package query from these sources and if so, wouldn't it be more practical to have the list periodically download a fresh copy and store them on the pfsense box locally to save on bandwidth or does that seem to be a stupid question.

                                                              Thanks,

                                                              Matt

                                                              1 Reply Last reply Reply Quote 0
                                                              • T
                                                                tommyboy180 last edited by

                                                                @darklogic:

                                                                Thanks for all your help. :)

                                                                I did your suggestion with the uncheck Bogon and added the cron package and applied the command you specified. All seems to be working well with the Country Block package now. I rebooted my firewall and all came up ok. I did notice I could access some Chinese websites with extensions of .cn

                                                                Does the Country Block work for both IP's and DNS naming or just IP?

                                                                A On the cron job I made the new job entry with this criteria and maybe you have some suggestions or minor tweaks to it.

                                                                Cron Job:

                                                                Minute: 0
                                                                Hour: *
                                                                Mday: *
                                                                Month: *
                                                                Wday: *
                                                                Who: root
                                                                Command:  /usr/local/etc/rc.d/countryblock.sh

                                                                You will still be able to access blocked countries unless you check 'Block Outbound' as well.

                                                                @darklogic:

                                                                Also, another question is what are the major difference from this package over the IP Block package. I am testing both out and I find the IP Block package to be somewhat misunderstanding on the .gz extension. I go to the ipblocklist.com website and not all the list are using the .gz extension. Also none of the country list seems to use it. They seem to have only .txt files which I am not sure will work. I also noticed countryipblocks.net seems to put all files in either .txt or html list. My question is does Country Block package query from these sources and if so, wouldn't it be more practical to have the list periodically download a fresh copy and store them on the pfsense box locally to save on bandwidth or does that seem to be a stupid question.

                                                                Thanks,

                                                                Matt

                                                                The IP-Blocklist package uses lists of any extension. The only exception is if the list is compressed then .gz is the only supported compressed format.
                                                                Country Block does pull from the site every time you update. The reason is you rarely need to update, but when you do you want it to pull from a live source. Bandwidth shouldn't be an issue, if it is then countries hacking and SPAMing would be the least of your problems.

                                                                Good questions!

                                                                -Tom Schaefer
                                                                SuperMicro 1U 2X Intel pro/1000 Dual Core Intel 2.2 Ghz - 2 Gig RAM

                                                                Please support pfBlocker | File Browser | Strikeback

                                                                1 Reply Last reply Reply Quote 0
                                                                • G
                                                                  g4m3c4ck last edited by

                                                                  Also note that Country block take less processing power because it works with CIDRs which is native to pfsense. IP Block uses list per IP which takes more time to process. However, it can have its advantages when you want to block specific types of addresses.

                                                                  1 Reply Last reply Reply Quote 0
                                                                  • D
                                                                    darklogic last edited by

                                                                    I believe I found a problem with Country Block or maybe there is something else I need to uncheck other than bogon. The problem I have right now is if I enable Country Block and run cron to restart it all seems to be ok. You can access the net, people can access our sites from the outside world and life is good, unless you have blackberrys that connect to our exchange server using the RIM services and connecting by and https URL to our hosted server. Mail will flow into our e-mail server like it should but Blackberry seems to have issues logging in over the HTTPS OWA URL to our domain. If I turn Country Block off, then all these e-mails start flooding into the Blackberry's. If I turn the Country Block on, same issue where e-mails will not make it to the Blackberry. I am 110% sure this is being caused by the Country Block after battling it for a few days now. I really do not want to give this amazing features up for the sake of Blackberry's not able to get past it for e-mail.

                                                                    Any HELP!!! would be nice or if someone else has noticed this, please let me know.

                                                                    Thanks,

                                                                    Matt

                                                                    1 Reply Last reply Reply Quote 0
                                                                    • D
                                                                      darklogic last edited by

                                                                      This is the e-mail message that will be sent to our blackberry's directly from Blackberry. We only start to get these messages after Country Block is enabled.

                                                                      Message Below:

                                                                      This email account is not currently accessible by your BlackBerry device, so you may be experiencing a delay in email delivery. This issue may be caused by a temporary problem with your email provider. BlackBerry Internet Service will continue attempting to access this account.

                                                                      1 Reply Last reply Reply Quote 0
                                                                      • S
                                                                        Supermule Banned last edited by

                                                                        Do these phones use blocked country DNS or hosting ??

                                                                        1 Reply Last reply Reply Quote 0
                                                                        • D
                                                                          darklogic last edited by

                                                                          our domain name service provider is through network solutions. We reside in the US. I am not sure how you would be able to track down multiple DNS servers that the Blackberry's would end up using. I would image that our DNS servers are ok since browsing of our site and recieve incoming SMTP seems to be working ok, which would use our DNS. This problem seems to be somewhere along the lines of affecting BlackBerry devices that are connecting over owa using the Blackberry RIM service. Example of connection https://mail.ourdomain.com/owa

                                                                          As far as knowing if they are hitting out of US DNS servers, I am not really sure how to find that out.

                                                                          Thanks,

                                                                          Matt

                                                                          1 Reply Last reply Reply Quote 0
                                                                          • S
                                                                            Supermule Banned last edited by

                                                                            Try to traceroute the traffic from the blackberry. Could be so that they use a subvendor for specific traffic and he is located in one of the blocked countries.

                                                                            1 Reply Last reply Reply Quote 0
                                                                            • D
                                                                              dpg2 last edited by

                                                                              Perhaps the following KB article from blackberry.com will help:

                                                                              http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB11036&sliceId=SAL_Public&dialogID=69199896&stateId=0%200%20692%2001325

                                                                              Are these blocks being blocked?

                                                                              1 Reply Last reply Reply Quote 0
                                                                              • D
                                                                                darklogic last edited by

                                                                                dpg2

                                                                                This was very helpful. I went to the countrysipblocks.net and checked the IP's by CIDR, and it looks as if all BlackBerry service goes to either United Kingdom or Canada, mostly Canada. And yes I have both of them blocked. I did not try a trace route yet. I am supprised to see that it appears all BlackBerry servers our not in the States, not one at all??? So if this is totally accurate how would I allow only those CIDRS and block the rest of the Country?

                                                                                Thanks,

                                                                                Matt

                                                                                1 Reply Last reply Reply Quote 0
                                                                                • D
                                                                                  dpg2 last edited by

                                                                                  Research in Motion is a Canadian company with its headquarters in Waterloo, Ontario.

                                                                                  I guess you need an 'allow' rule for the Blackberry blocks ahead of the 'deny' rules that the Country Block package puts in place. I'm not sure how flexible the Country Block package is for that sort of thing.

                                                                                  I believe the 'URL Table Aliases' package may offer a solution since the address blocks can be handled as aliases and governed by rules directly in the web interface. Perhaps you could share a Blackberry IP list from an internal server (or the pfsense box itself) and access it via a local URL (or just add the BB blocks to a regular alias, there aren't that many of them), and do the same with a list copied from countrysipblocks.net.

                                                                                  1 Reply Last reply Reply Quote 0
                                                                                  • G
                                                                                    g4m3c4ck last edited by

                                                                                    I can not get country block to stay running for the life of me. I have cron running the script every five minutes and I know it is executing because I have the its output logged to a temporary file and the timestamp is correct. It seems to be working but it always says "not running" in red.

                                                                                    1 Reply Last reply Reply Quote 0
                                                                                    • First post
                                                                                      Last post