Country Block

marcelloc

So if networks been stored on alias and read by countryblock While creating or updating the table could be a 50% goal?

tommyboy180

I think that would be more than 50%. Basically if we can reach that functionality while moving away from the injection script then I would say that's a 90% solution.

cmb

The way I typically set up country blocking is with URL table aliases, just pasting in the countryblocks URL. That's limited to one country per alias though.

marcelloc

Great idea! :)

I will try to create this url table alias via php and then apply it to a rule.

Thanks for that.

marcelloc

I looked at countryblock package code and saw many system calls to files and filters and many javascripts.

To reach our goal to write most config to xml, I decided to use pfsense's framework and replace countryblock list from letters to continents.

Alias auto insertion is done and I'm very close to reach rule creation. As Url Table alias feature also implements a table on firewall rules, I think is better to use pfsenses already done functions instead of rewriting everything.

tommyboy,
I know that you spent many many hours on package evolution, but I think it's time to adapt this package to 2.0 features.

I'm planning to create a countryblock-dev package, so we can test it more deeply.

Please, feedback.

countryblock_03.png_thumb

tommyboy180

It looks great! You're really going out of your way here and I really appreciate your help!
If you get it to a point where you have stable operation please send some files my way. I would like to take a look at what you have done.

pfsense_isti

Hi,

I use PFSense 2.0 on a small Alix-Board.

My Questions:

As I know there was a tab (Reiter) also for Mail to avoid Spams. In my version I have seen it no longer… Why?
This CountryBlock denies traffic from these countries. Is there any way to block IN THESE countries I chosen for being blocked.

Thank you for your help and the many hours you spent with thr development.

Rergards,

I.

tommyboy180

@pfsense_isti:

Hi,

I use PFSense 2.0 on a small Alix-Board.

My Questions:

As I know there was a tab (Reiter) also for Mail to avoid Spams. In my version I have seen it no longer… Why?

This CountryBlock denies traffic from these countries. Is there any way to block IN THESE countries I chosen for being blocked.

Thank you for your help and the many hours you spent with thr development.

Rergards,

I.

The mail tab never blocked SPAM. It would send you an email if countryblock stopped working but since that time this package works relatively stable.
To answer your second question, no. If you are in that country then I would not recommend doing that. You may experience negative effects.

marcelloc

HI all,

I've just finished countryblock rule creation. ;D

I will fix instalation and publish countryblock-dev package today.

Now contryblock only uses pfsense native options, so I think stable state will be very soon.

tommyboy180

Sweet. Where do you get the countryblock IP ranges from? Same lists in the current version?

marcelloc

Direct from countryipblocks.net site during package installation.

If any network changes, all we need is reinstall package.

marcelloc

So, Let's start testing. countryblock-dev 0.4 is out! :)

I did last commit to it right now.

I think gui is fine, what we need to test is pfsense table update time.

att,
Marcello Coutinho

tommyboy180

Feedback:

The GUI works nicely. I am able to maneuver and find exactly what I am looking for without issue. Excellent job.
The GUI execution is great. Immediately the country block rule was created in the LAN firewall rules.

Problems:
Inbound filter did not get applied to WAN firewall rules even though it's selected. I feel this is crucial and one of countryblock's greatest features.
No blocking is actually taking place. Rules.debug does not have countryblock rules and there seems to be an error in rules.debug```

unresolvable dest aliases Countryblock inbound deny rule label "USER_RULE: Countryblock inbound deny rule"


I see that you have a table that you create in /var/db/aliastables and it works perfectly, however when the rule is applied you always get an error like```
# unresolvable dest aliases Countryblock inbound deny rule label "USER_RULE: Countryblock inbound deny rule"

The rules I create with countryblock version 2.4 look like

#countryblock
table <countryblock>persist file '/usr/local/www/packages/countryblock/lists/countries.txt'
table <countryblockw>persist file '/usr/local/www/packages/countryblock/countries-white.txt'
pass quick from <countryblockw>to any label 'countryblock'
pass quick from any to <countryblockw>label 'countryblock'
block quick from <countryblock>to any label 'countryblock'</countryblock></countryblockw></countryblockw></countryblockw></countryblock>

This was created in it's own countryblock section which I feel I can modify version 2.4 to place these rules into the "# User-defined rules follow" section and double version 2.4's compatibility and stability. That's another topic though :)

On another subject, I really like how you made everything work. I love the XML package and it shows me that I have much to learn!

I'm still looking everything over to make sure everything is going the way it should. Sorry if I seem too involved but countryblock is my baby, same with ipblocklist. We need to figure out why the countryblock rules are not being applied correctly in rules.debug. I'm guessing there is a typo in the inc within the sync function. Nice validation BTW.

marcelloc

I forgot to finish XMLRPC SYNC, I'm doing it right now.

I saw the same problem on WAN. Its the default xml options that shows in gui but do not apply on XML, so I will remove Default option.
To workaround that, just unselect/select WAN and save.

marcelloc

Package version 0.4.1 released with many bugs fixed and sync between pfsense boxes working.

marcelloc

Countryblock-dev 0.4.2 fixes pfctl rule creation.

Cino

marccelloc,

other then trying to goto a blocked country. How do we know its working? I ask because under "Services", my box is telling me its not started.

2.1-DEVELOPMENT (i386)
built on Tue Sep 13 17:28:43 EDT 2011
FreeBSD 8.1-RELEASE-p4

marcelloc

There is no service in version 0.4.

To check contryblock, look:

Firewall -> aliases
Firewall -> rules
Diagnostcs -> Tables
on console -> pfctl -sa

I will also try to remove this service option.

tommyboy180

Okay,
So far I'm seeing good performance and it's working as I expect it to. We need to be ready to have the lists be downloaded from an archive like version 2.4 does. The reason is countryipblocks.net was getting way to much traffic from my pfsense users. It caused problems on their website so keep that in mind.

Still testing but I'm liking it. I do want to change some GUI components before we replace 2.4.

marcelloc

Have you ever thought about joining Countryblock and IPblocklist?

I've looked ipblocklist and both look very similar.

I do want to change some GUI components before we replace 2.4.

Feel free to change gui options, but keep in mind that's not so easy to customize xml options while using pfsense framework.

The reason is countryipblocks.net was getting way to much traffic from my pfsense users

Is there a problem on doing it only during install?