Country Block
-
Nice new interface tommy appreciate it.
Gotta question for you though, i see that there are a few packages related to dns (country block,dns blacklist), is it possible to get something like OpenDNS but locally? mostly the custom shortcuts andstats (top domains etc)? if so how hard would it be?
I'm really not sure. Countryblock uses CIDR ranges which works nicely with the firewall and is really easy to script. As far as DNS stuff goes, I have no idea. I bet you could modify the DNS blacklist package to support what you are looking for.
I'm glad to see that people are getting better results with the latest version. Thank you all for your support.
-
The DNS Blacklist doesnt have anything at the GUI end for doing what I want, it would have to be done under the hood and I was thinking of something that would be easy for all, even those with out programming skills, though I am willing to learn.
I was thinking the tinyDNS package could do this but I gave up on it when I messed up DNS on my network (didnt get very far before doing this >:(), waiting until I can get a test system ready before trying it again, if I do get it working I plan on doing an FAQ/Tutorial on it as no one has made one publicly available that I could find.
-
regarding cron .
with CB getting closer to real stable, it is probably a bad thing to run the cron start job very often.
I may be wrong, as happens not infrequently , but the 1-st part of the script /usr/local/www/packages/countryblock/execute.sh
{{{
pfctl -t countryblock -T kill
}}}
seems to disable the countryblock rules .shortly after the rules are enabled.
so the more stable this great package gets, the less frequent the cronjob should be run.
Also
/usr/local/www/packages/countryblock/execute.sh should be improved if possible to check if the countryblock rules are active. then restart only if needed.Maybe someone who knows about pfctl could help with the script?
thanks again to the author for this package. I owe you some beer.
-
regarding cron .
with CB getting closer to real stable, it is probably a bad thing to run the cron start job very often.
I may be wrong, as happens not infrequently , but the 1-st part of the script /usr/local/www/packages/countryblock/execute.sh
{{{
pfctl -t countryblock -T kill
}}}
seems to disable the countryblock rules .shortly after the rules are enabled.
so the more stable this great package gets, the less frequent the cronjob should be run.
Also
/usr/local/www/packages/countryblock/execute.sh should be improved if possible to check if the countryblock rules are active. then restart only if needed.Maybe someone who knows about pfctl could help with the script?
thanks again to the author for this package. I owe you some beer.
Great suggestion! Checking to see if it's running before processing is easy but if changes are made while it's running then the firewall entries for countryblock need to be deleted and re-added. If this isn't done then duplicate data will be written to the firewall config resulting is lower performance and very possibly syntax errors in the config.
Since all updates to the config are done via the GUI I can move this code to the php page and leave it out of the script. I will change the script to see if it's running before processing.Give me some time to make the changes and test since today is my birthday! Thanks again for the helpful suggestion.
Edit: I will also add a log system log entry every time the script is run and whether the processes are already running of if countryblock had to be started back up.
-
Congrats Tom!! ;) Rest and enjoy your day!
-
well happy bday!!!!!!
Again thanks for the continued updates
-
I have a question on the selectable interfaces. I will be installing some additional NICs in the box so that my personal PC is separate from the server. Currently I don't select outbound because it blocks some pages I try to view and I'd really like to have this feature for my server. Thus, I assume I would want to uncheck the WAN and my personal interface and just have my server interface checked, correct? Just curious.
-
I have a question on the selectable interfaces. I will be installing some additional NICs in the box so that my personal PC is separate from the server. Currently I don't select outbound because it blocks some pages I try to view and I'd really like to have this feature for my server. Thus, I assume I would want to uncheck the WAN and my personal interface and just have my server interface checked, correct? Just curious.
Not checking your WAN interface will leave you vulnerable to attack from your blocked counties. However, yes. If you do not select your WAN and your LAN, then you will be able to enforce outbound access, on the DMZ, to the countries while still being able to access them on your LAN.
For a customized configuration you can always edit /usr/local/www/packages/countryblock/execute.sh to give you more control over how you want to block access to the countries. -
Is there a way to get notified when Country Block stops? I keeps not running for me, and I can't tell if it's because of something I did or not.
-
@Bai:
Is there a way to get notified when Country Block stops? I keeps not running for me, and I can't tell if it's because of something I did or not.
I am working on email notifications for the next version. Right now I'm looking at gmail support only.
-
with gmail support, will it support google apps users?
-
-
google apps users use @yourdomain.com but other than that it is googles servers (smtp.gmail.com, smtp.googlemail.com etc)
-
google apps users use @yourdomain.com but other than that it is googles servers (smtp.gmail.com, smtp.googlemail.com etc)
Yes that's right. That's how I setup my email. I'm not sure, it should. I'm using smtp.gmail.com as the gateway, so as long as it authenticates it will work.
I hope to have this out soon, so you will be able to test here shortly. -
well since google is making all gapps accounts full (almost) google accounts, one can log in at gmail.com with their full email address and get ones email.
I will be glad to be the first tester!
-
I've got email working right now. I was able to use any SMTP gateway, so email will not be restricted to gmail. So far I have successfully tested yahoo SMTP and gmail SMTP, but there isn't a reason why any SMTP gateway won't work.
Right now this is only on php4 and if I'm not mistaken php5 is on pfsense BETA 2. I don't have BETA 2 so I will need a tester here in a couple days if anyone wants to help out. -
I'm still having trouble with CB staying running. Is there anything I should look at?
-
@Bai:
I'm still having trouble with CB staying running. Is there anything I should look at?
Which version of CB are you using?
And PfSense version?
-
Not checking your WAN interface will leave you vulnerable to attack from your blocked counties. However, yes. If you do not select your WAN and your LAN, then you will be able to enforce outbound access, on the DMZ, to the countries while still being able to access them on your LAN.
For a customized configuration you can always edit /usr/local/www/packages/countryblock/execute.sh to give you more control over how you want to block access to the countries.I see. So to block all incoming I just keep the WAN checked and then if I check "Block outbound" and uncheck my personal LAN then my server and son's computer will be outbound blocked but mine will be unaffected even though all incoming is blocked? Just clarifying. Thanks.
-
Not checking your WAN interface will leave you vulnerable to attack from your blocked counties. However, yes. If you do not select your WAN and your LAN, then you will be able to enforce outbound access, on the DMZ, to the countries while still being able to access them on your LAN.
For a customized configuration you can always edit /usr/local/www/packages/countryblock/execute.sh to give you more control over how you want to block access to the countries.I see. So to block all incoming I just keep the WAN checked and then if I check "Block outbound" and uncheck my personal LAN then my server and son's computer will be outbound blocked but mine will be unaffected even though all incoming is blocked? Just clarifying. Thanks.
That is correct. You should be able to test this easily by accessing a site located in one of the countries and using a proxy located in the country. That's how I have been checking to make sure I understand how it works (I'm a visual learner).