PfBlockerNG US_v4 custom list shows 2.0.0.0/9



  • Hi, I have a strange problem with building a custom list.
    I created a custom list with /usr/pbi/pfblockerng-amd64/share/GeoIP/US_v4.txt
    Using it in a NAT rule I noticed that the rule allow connections from my Greek IP while it should allow only from US.
    Using "mouse over" the list shows that include block 2.0.0.0/9 in the US list, but this is not shown in US_v4.txt
    Where from comes out this IP block????
    I did same tests on a totally different pfSense installation with same result


    ![1 alias native.png](/public/imported_attachments/1/1 alias native.png)
    ![1 alias native.png_thumb](/public/imported_attachments/1/1 alias native.png_thumb)


    ![4 force update.png](/public/imported_attachments/1/4 force update.png)
    ![4 force update.png_thumb](/public/imported_attachments/1/4 force update.png_thumb)
    ![5 force reload.png](/public/imported_attachments/1/5 force reload.png)
    ![5 force reload.png_thumb](/public/imported_attachments/1/5 force reload.png_thumb)
    ![6 force reload.png](/public/imported_attachments/1/6 force reload.png)
    ![6 force reload.png_thumb](/public/imported_attachments/1/6 force reload.png_thumb)
    ![7 NAT.png](/public/imported_attachments/1/7 NAT.png)
    ![7 NAT.png_thumb](/public/imported_attachments/1/7 NAT.png_thumb)
    ![8 us_v4txt.png](/public/imported_attachments/1/8 us_v4txt.png)
    ![8 us_v4txt.png_thumb](/public/imported_attachments/1/8 us_v4txt.png_thumb)
    ![9 us_v4.png](/public/imported_attachments/1/9 us_v4.png)
    ![9 us_v4.png_thumb](/public/imported_attachments/1/9 us_v4.png_thumb)
    ![10 UStest_v4.png](/public/imported_attachments/1/10 UStest_v4.png)
    ![10 UStest_v4.png_thumb](/public/imported_attachments/1/10 UStest_v4.png_thumb)
    ![11 UStest_v4.png](/public/imported_attachments/1/11 UStest_v4.png)
    ![11 UStest_v4.png_thumb](/public/imported_attachments/1/11 UStest_v4.png_thumb)



  • My guess is that you are loading all those other countries un-necessarily, so when dupe checking is done, it gets the range from one of the other lists.. Just a guess.

    We currently block everything but the US, Canada, and Australia and do it a bit different than you are doing it:

    Here is how we are doing it:
    In the PFSENSE, IPV4, we set up the Allowed_Countries list as an ALIAS MATCH. It consists of the US, CA, AU lists.
    (in fact we configured all our lists like SpamHausEdrop to all ne alias match so we could change the order in the firewall rules)
    PFSense then creates the alias for you.

    Then in the firewall rules, we created a rule for each WAN (since we only wanted to limit the INBOUND connections to the US), that was as follows:
    Action: Block
    Interface: The WAN interface (we have 2 so we did rules for each)
    Source: (this is KEY) Check the NOT Box, Single host or alias, then the PFB alias, which for us was pfB_Allowed_Countries

    Once rule is created, we move it to the top right under RFC 1918 and the Reserved / not assigned by IANA rules.
    You can do the same for other rules needed.

    By doing this, it is rejecting any unsolicited connections from the whole world except the US.

    You can remove the other country lists at this point since they are no longer needed :D

    Also make sure to DISABLE the other country lists in the tabs :P

    You can do the same thing if U need outbound rules…

    Probably not the way some do it, but works for us (THANKS doktornotor)

    Screen shots:
    (Ignore the PFB_PS_V4 rule, not needed and was removed :P )






  • I don't understand what am I doing different than you do.
    I don't load many countries, just 3. What if my customers will travel all over Europe? And I am using this to allow connections only from that list.
    I don't use "deny from", but allow connections only from that list.
    My scope is to allow only Greek connections. I created a second list with US IP block list just for test, it suppose to allow connections only from US. But I noticed that I got connections from Greece and I could not understand why. Then I noticed that range 2.0.0.0/9 that DOES NOT BELONGS to US or Greece IP blocks. It comes out of nowhere.
    As I said the problem was recreated on a totally different system with same results.
    Changing the tested US block with another random country does not bring 2.0.0.0/9. So this is related to US country block.
    For me is not a problem yet since I won't use it anyway, I will allow connections only from Greece but I am thinking that is not normal for our safety. What if this happen with other lists too? We load a country list but will allow or deny other IPs too?
    Can you try to recreate my problem on your system? Just keep mouse over the list and that rang will show up!



  • Odd. I see it now too. Checked the Alias list (var/db/aliastables/pfB_Allowed_Countries) and its not in there, nor is it in the US GEOIP file…

    Some kind of bug????

    Wonder if it is fixed in PFBlocker 2.0????



  • Good news!!!!
    I noticed that there is a new version, 2.0 and I upgraded.
    The new countries path is /usr/pbi/pfblockerng-amd64/share/GeoIP/cc/US_v4.txt
    The new file does not have the first 2 lines of the old US_v4.txt that looks like v6 and the problem disappear !!!



  • lol Confirmed, and thanks for the Heads up on the path change :)


Log in to reply