PfBlocker

KOM

Maxmind seems to be a commercial company.  Despite the fact their GeoIP files are publicly accessible, is it allowed to just take them?  They appear to charge a fee for access to their lists.

BBcan177

@KOM:

Maxmind seems to be a commercial company.  Despite the fact their GeoIP files are publicly accessible, is it allowed to just take them?  They appear to charge a fee for access to their lists.

Yes this is the Free Version of the Maxmind Database that is Updated Once per month. It is 98% accurate for Countries as per their website.

http://dev.maxmind.com/geoip/legacy/geolite/

They have a paid version but you would only need that if you wanted City or other GeoIP data.

KOM

OK great.  Thank you for that.  I looked around but didn't see the distinction before I posted.  I don't want to take what isn't mine to take, and I admit I'm a little late to this thread.

Mr. Jingles

@BBcan177:

@Hollander:

BB, but I can't seem to find how to do country blocking with your script. I know it is possible, but have I missed something? I want to block a great deal of countries I consider nothing good to come from ( 8) ;D ). If I overlooked something, could you please point me to the text I must have overlooked?

Hello Hollander,

First step is to add "unzip" as its a dependency:

pkg_add -r unzip

(See this thread to get 8.3 Package Archive ENV path)
https://forum.pfsense.org/index.php?topic=78935.msg431084#msg431084

Code from the Script:

    441 # ================================================================
    442
    443 # MaxMind GeoIP COUNTRY CODE Blocklist      (** Installation STEPS **)
    444 #
    445 # - Package Dependency (UNZIP) as stated above.
    446 # - Uncomment "#" the [ countrycode ] line below, save/exit.
    447 # - Run this script from the shell [ ./pfiprep killdb ]
    448 #   which will create the [ countrycode ] config file.
    449 #   (Don't run the script when CRON is expected to run)
    450 # - When the script exits "EDIT" the [  countrycode  ] file and
    451 #   enter "#" infront of the Countries to Whitelist.
    452 # - Re-Run the script [ ./pfiprep ]
    453 #
    454 # - To remove Country Blocking Completely, re-comment [  #countrycode ]
    455 #   and run from the shell  [ ./pfiprep killdb ] or [ ./pfiprep killdb dskip ]
    456 # ================================================================
    457
    458 # Maxmind GeoIP Country Code - Blocklist Download
    459 #
    460 # This will only download on the first Tuesday of Each Month
    461 # Any changes to the [  Countrycode  ] text file will be done at that time.
    462 # When the CSV Database is downloaded it will create a [ cccsv.lock ] file
    463 # in the $userfolder path to avoid downloading multiple times. If you
    464 # want to bypass, delete the [ cccsv.lock ] file.
    465
    466 header=CountryBlock
    467 group=tier10
    468 addr=https://geolite.maxmind.com/download/geoip/database/
    469 infile=GeoIPCountryCSV.zip
    470
    471 #countrycode
    472 # ================================================================

( I cleaned up the Text instructions in my Github Gist. So it may not match your existing Script. )

Steps:

1. Remove "#" from line 471 ( countrycode ) , and save/exit the script.
2. From the "Shell" run  [  [b]./pfiprep killdb  ]
3. This should download the Maxmind Country Code .zip file and automatically extract the .csv country Code Database.
4. It will create a file called "countrycode" which is a list of all the countries.
5. On First Install, the script will exit and ask you to edit the "countrycode" file.
6. Put a "#" infront of the countries to whitelist.
7. Save/Exit "countrycode" file.
   8.) Re-run the script  [ [b]./pfiprep ]

Keep in mind about how the script functions:

1. Block the IPs from the Countries you have Selected (If you enabled Country Blocking Feature)

2. Each additional Blocklist that gets downloaded, the script will check for duplication against all previously downloaded Lists (Including the Country Blocklists) so that you don't add the same Blocked IPs or Ranges that are already on the Masterfile List.

3. Other functionality of the script is "IP Reputation" which looks to see how many Malicious IPs are found in a /24 Range. If the script finds over the "max" variable setting, it will block those particular ranges and remove the individual IPs from each Blocklist. The first Blocklist that contains the "Repeat Offending Range" will get the "x.x.x.0/24" block, while all of the other list have these repeat offenders are removed as the first list is blocking the whole range.

4. If you decide to remove a "Blocklist", it is recommended to refresh the database as you can see from above that all of the Blocklists are essentially tied together to remove duplication and process "IP Reputation".

Refreshing the database can be achieved in two ways:

[ [b]./pfiprep killdb ]  This will delete the database and re-download all Blocklists.

or

[ [b]./pfiprep killdb dskip ] Which will kill the database and re-use the existing Download Blocklist Files.

The script will automatically download the Maxmind Country Code Database on the First Tuesday of Each Month. As each Blocklist gets downloaded, it will resync against the updated Country Blocklists as per the schedule settings for each Blocklist. I never considered to perform a [ [b]./pfiprep killdb dskip ] each month, but I think this might be something that I should add to the next version of the script.

At any time, you can edit the "countrycode" file and it will automatically re-configure the Country Blocking at the next scheduled CRON job. (But if you do make changes, I recommend resyncing the database.)

I also added a few additional Blocklists ( from the gist hit the "revision icon" to see the changes)

I hope this is clear. Let me know if you need any more help.

Thanks BB, you know you are one of my heros on this board, I just hit you with my karma stick again  ;D

I will try it, and report back here.

_PS About me learning grep: yes, you are completely right. But: time  :-[ Currently I am dividing time between my own job, WIFE complaining ( ;D ), and helping out the poor who are being quite abused by the system in this 'highly developed society we seem to be living in'. Which translates in barely educated, low salary workers, who don't understand all the mumbo-jumbo crap in official letters, being fined hundreds of euros because they underpaid taxes by 2 euros. It seems I can read at least some of these 'government officials' bullshit letters, and as I can't stand injustice, I'm the one writing the legal letters on behalf of my quite illerate co-citizens, which, unfortunately, takes a lot of time.[/i]

I'm now thinking if I am brave enough to execute:

true `yes no`

;D

(This seems to be a dangerous command)._

Mr. Jingles

I am running into a problem, BB  :-\

1. Remove "#" from line 471 ( countrycode ) , and save/exit the script.
2. From the "Shell" run  [  [b]./pfiprep killdb  ]
3. This should download the Maxmind Country Code .zip file and automatically extract the .csv country Code Database.
4. It will create a file called "countrycode" which is a list of all the countries.
5. On First Install, the script will exit and ask you to edit the "countrycode" file.
6. Put a "#" infront of the countries to whitelist.

The file is created, but nothing is in it (zero bytes). The script issued this:

  [2.1.4-RELEASE][root@112]/home/badips(9): ./pfiprep killdb

**** UPDATE PROCESS START -  Sat Jul 26 17:13:39 CEST 2014  ****

 Deleting pfIP Rep Databases.

Databases have been Deleted!

find: /home/badips/countrycodes: No such file or directory
rm: /home/badips/cc_csv.lock: No such file or directory
find: /home/badips/GeoIPCountryWhois.csv: No such file or directory
rm: /home/badips/cc_csv.lock: No such file or directory
looking up geolite.maxmind.com
connecting to geolite.maxmind.com:443
SSL connection established using RC4-SHA
Certificate subject: /serialNumber=dfgdighiofgiodfiogdiofgdjkfq4Js/C=US/O=*.maxmind.com/OU=GT53364002/OU=See www.rap112sl.com/resources/cps (c)11/OU=Domain Control Validated - Rap112SL(R)/CN=*.maxmind.com
Certificate issuer: /C=US/O=GeoTrust, Inc./CN=Rap112SL CA
requesting https://geolite.maxmind.com/download/geoip/database/GeoIPCountryCSV.zip
remote size / mtime: 1444832 / 1404267648

/home/badips/GeoIPCountryCSV.zip              100% of 1410 kB  164 kBps

unzip:  cannot find or open /home/badipsGeoIPCountryCSV.zip, /home/badipsGeoIPCountryCSV.zip.zip or /home/badipsGeoIPCountryCSV.zip.ZIP. 

cut: /home/badips/GeoIPCountryWhois.csv: No such file or directory

Please edit [ /home/badips/countrycodes ] and comment # the countries to  SAFELIST  before proceeding with CC Blocking

[2.1.4-RELEASE][root@112]/home/badips(10):

(I scrambled that serial number there since I don't know if it should be pasted here).

What should I do?

Thank you  ;D

BBcan177

Hi Hollander, Looks like I missed a "/",

In pfiprepman, Line 416

**    $pathunzip -o $userfolder$infile**

change it to:

$pathunzip -o $userfolder/$infile

Sorry about that.

kenshirothefist

@kenshirothefist:

First of all, pfBlocker is a great package, cheers to the authors! However, it would be very useful (some users already highlighted this) to have more options for "Update frequency". Specifically I would like to see one very short and one longer frequency, like "Every 10 Minutes" and "Once a week". Could you add this?

And just out of curiosity, how is this updating handled, I don't see any crontab entry for pfBlocker?

Any comments on this?

Also, I would like to ask you if there is any way to manually update the list? Thanks!

BBcan177

@kenshirothefist:

@kenshirothefist:

First of all, pfBlocker is a great package, cheers to the authors! However, it would be very useful (some users already highlighted this) to have more options for "Update frequency". Specifically I would like to see one very short and one longer frequency, like "Every 10 Minutes" and "Once a week". Could you add this?

And just out of curiosity, how is this updating handled, I don't see any crontab entry for pfBlocker?

Any comments on this?

Also, I would like to ask you if there is any way to manually update the list? Thanks!

When you enable pfBlocker, it creates a cron entry

0 * * * * root /usr/local/bin/php /usr/local/www/pfblocker.php cron

The way pfBlocker works is it looks to see if there is an existing file in the:

/usr/local/pkg/pfblocker (folder) for the Blocklist. If its there, it will reload the existing file. If its not there, it will download the file from the URL you entered for the Blocklist. When the CRON job runs, if the list is scheduled to be updated, that file is deleted so that it will download a new file.

So the only way to do that is to manually delete the Blocklist file in that folder. Unfortunately, the file is named after the MD5 hash of the URL making it a little difficult to see which file belongs to which Blocklist.

You could try running this command from the shell to determine what the md5 Hash is and than seeing if a file exists with that hash.txt and delete it. Than you can click "Save" in pfBlocker which should re-download the new file.

md5 -s 'http://www.spamhaus.org/drop/drop.txt'

MD5 ("http://www.spamhaus.org/drop/drop.txt") = d2278c81b67d798693429e4feb04a83a

http://www.freebsd.org/cgi/man.cgi?query=md5&sektion=1

LinuxTracker

@BBcan177:

The Country Database in pfBlocker hasn't been updated for over 2 years now. The data is obsolete.

I've been recently looking at this and found we have 2 issues.
One is the out of date IP ranges, which you know about.
The other is a few ISO country codes probably need to be updated.

@BBcan177:

I know they are working on a new service (most likely for paid members) that will provide updates for the Country Lists.

I guess it's been a couple of years since CountryIPBlocks went to pay-for-play.

Back then, marcelloc and I both reached out to the CIPB guy and tried to work out a compromise that would allow pfBlocker to keep updating from CIPB.

CIPB's compromise was that each pfBlocker user would pay CIPB for it's repackaged public data.
That didn't seem like much of a compromise so here we are.

Anyhoo:
I've  found a source of current country IP data yesterday and wrote a short Bash script to push it into pfBlocker.
It looks good but while cross-checking the data I found pfBlocker has a couple of outdated country (ISO 3166-1 alpha-2) codes.

Also - I still want to find+vet a couple more data sources.
I'll post what I come up with and we'll see what everyone thinks.

Thanks

BBcan177

@LinuxTracker:

I've  found a source of current country IP data yesterday and wrote a short Bash script to push it into pfBlocker.
It looks good but while cross-checking the data I found pfBlocker has a couple of outdated country (ISO 3166-1 alpha-2) codes.

Also - I still want to find+vet a couple more data sources.
I'll post what I come up with and we'll see what everyone thinks.

Did you take a look at the Maxmind GeoIP Country List. ~98% accurate.

I have also release a script to utilize country Blocking:
https://forum.pfsense.org/index.php?topic=78062.15

Would be interested to see what you have come up with.

Maybe you can PM me a copy? Would also be interested in helping getting it off the ground.

LinuxTracker

@BBcan177:

Did you take a look at the Maxmind GeoIP Country List. ~98% accurate.

That was the site that had a .CSV file of IPs in ranges, right?
I think I saw somewhere in the thread that pfBlocker will work with ranges - something I didn't know.

However, I prefer working w/ CIDR (I'd explain why if anyone cares) and am looking at CIDR sources right now.

I'll give another look at Maxmind GeoIP if my 'Plan A' doesn't work out.

BBcan177

@LinuxTracker:

@BBcan177:

Did you take a look at the Maxmind GeoIP Country List. ~98% accurate.

That was the site that had a .CSV file of IPs in ranges, right?
I think I saw somewhere in the thread that pfBlocker will work with ranges - something I didn't know.

However, I prefer working w/ CIDR (I'd explain why if anyone cares) and am looking at CIDR sources right now.

I'll give another look at Maxmind GeoIP if my 'Plan A' doesn't work out.

Here is a sample.

Its all in one file, and its not too hard to convert to CIDR and break it down in the XX Country Codes with some grep and awk commands.

"223.255.128.0","223.255.191.255","3758063616","3758079999","HK","Hong Kong"
"223.255.192.0","223.255.223.255","3758080000","3758088191","KR","Korea, Republic of"
"223.255.224.0","223.255.231.255","3758088192","3758090239","ID","Indonesia"
"223.255.232.0","223.255.235.255","3758090240","3758091263","AU","Australia"
"223.255.236.0","223.255.239.255","3758091264","3758092287","CN","China"
"223.255.240.0","223.255.243.255","3758092288","3758093311","HK","Hong Kong"
"223.255.244.0","223.255.247.255","3758093312","3758094335","IN","India"
"223.255.252.0","223.255.253.255","3758095360","3758095871","CN","China"
"223.255.254.0","223.255.254.255","3758095872","3758096127","SG","Singapore"
"223.255.255.0","223.255.255.255","3758096128","3758096383","AU","Australia"

LinuxTracker

@BBcan177:

@LinuxTracker:

That was the site that had a .CSV file of IPs in ranges, right?

Here is a sample.
Its all in one file, and its not too hard to convert to CIDR and break it down in the XX Country Codes with some grep and awk commands.
"223.255.128.0","223.255.191.255","3758063616","3758079999","HK","Hong Kong"
"223.255.192.0","223.255.223.255","3758080000","3758088191","KR","Korea, Republic of"
"223.255.224.0","223.255.231.255","3758088192","3758090239","ID","Indonesia"
"223.255.232.0","223.255.235.255","3758090240","3758091263","AU","Australia"
"223.255.236.0","223.255.239.255","3758091264","3758092287","CN","China"

Your data source seems more trustworthy than what I've found.

I'll PM you the script to d/l+extract the country IPs into .txt files as soon as I puzzle it out.

kevin067

Hi, does anybody know what triggers the reset of the pfBlocker's dashboard packet count? It would be much more useful if it only cleared when I clear the counter. Right now it just seems to clear the packet count randomly.

Thanks,
Kevin

Cino

anything that reloads your rules/filter will do it.  look for check_reload_status: Syncing firewall in your system log

marcelloc

HI, for those who want to test an updated country list from a new source before I try to update it on package install, follow these steps on console

cd /usr/local/pkg
/usr/bin/fetch http://e-sac.siteseguro.ws/pfsense/pfblocker/Africa_cidr.txt
/usr/bin/fetch http://e-sac.siteseguro.ws/pfsense/pfblocker/Asia_cidr.txt
/usr/bin/fetch http://e-sac.siteseguro.ws/pfsense/pfblocker/Europe_cidr.txt
/usr/bin/fetch http://e-sac.siteseguro.ws/pfsense/pfblocker/North_America_cidr.txt
/usr/bin/fetch http://e-sac.siteseguro.ws/pfsense/pfblocker/Oceania_cidr.txt
/usr/bin/fetch http://e-sac.siteseguro.ws/pfsense/pfblocker/South_America_cidr.txt
php /usr/local/www/pfblocker.php uc

After this, access pfblocker gui and save config again.

You can check applied networks/cidrs on diagnostics -> tables

BBcan177

@marcelloc:

HI, for those who want to test an updated country list from a new source before I try to update it on package install, follow these steps on console

Hi Marcello,

This updates correctly. What is the source of the Country code files if you don't mind sharing?

Thanks.

tommyboy180

I was just going through some notes on pfblocker. This brought back some memories. I thought I would share with you guys since it's apart of the pfblocker past.

ipblocklist
HOLD - cidr
dashboard HUD
Remove IPFW Flush
Complete - ensure /usr/local/pkg/pf/ .sh is removed
Complete - whitelists on reboot
Complete - logging doesn't stay enabled when you click save/update
Complete - remove unique -u to just unique
Complete - remove warning from GUI
Complete - add lvl1 by default
Complete - change description to use the phrase peerblock
Complete - remove "ipfw -f flush" commands from php and uninstall process.
Complete - setenv PACKAGESITE "ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8-stable/Latest/" before pkg_add -r "package"
Complete - pkg_add -r p5-NET-CIDR p5-Net-CIDR-0.14 CURRENT
Complete - pkg_add -r perl    perl-5.10.1_1    TO  perl-5.12.4_2
Complete - don't uninstall perl and p5-cidr-net at uninstall

countryblock
Complete - ensure /usr/local/pkg/pf/ .sh is removed
Complete - update CIDR.php file
Complete - Remove Email
Remove IPFW Flush

strikeback
auto start
auto settings (root user)

ideas:
hybrid ipblockist and countryblock. Tab seperate the roles.  one package - one stop shop. Name: Layer3 Shield or Layer3 Filter or Security
iplocklist and countryblock redirection on outbound if going to blocked ip's!!!

This note is dated 2010!

BBcan177

@tommyboy180:

I was just going through some notes on pfblocker. This brought back some memories. I thought I would share with you guys since it's apart of the pfblocker past.

This note is dated 2010!

If you guys are interested I have a working BETA for pfBlocker that incorporates features that lots of us would like to see in a new release of pfBlocker.  :)

stephenw10

Can't imagine anyone would be intested in that.  ;)
Oh wait….