GeoIP Blocks All Traffic Instead of Per-Country Traffic

[rajl]

This is one of those "I followed the documentation, why doesn't it work" questions.

My problem is that when I enable per-country rules for GeoIP blocking, OPNSense blocks all internet traffic instead of just traffic to the prohibited country.  As a test, I created a rule that blocked all outbound traffic to Russia.  I enabled the rule, I enabled Intrusion Detection, and I enabled IPS mode (all per documentation).  I also double-checked to make sure the rule is on the WAN interface only.  With this rule enabled, the expected behavior is that traffic to Russia is blocked, but traffic anywhere else is permitted.  For example, I should be blocked from accessing www.yandex.ru, but allowed to view www.cnn.com or news.bbc.co.uk.  Instead, all outbound traffic is blocked with this single GeoIP rule enabled.

What am I doing wrong?

Thanks.

[mimugmail]

Do you try with IPS or Alias?

[rajl]

I tried with IPS following the steps straight from the documentation.

[mimugmail]

Doc is a bit outdated, try with Geo IP alias in Firewall aliases

[rajl]

Thanks.

Unfortunately, my country (United States) is missing.  Every other country in the Americas is listed, including the U.S. Virgin Islands.  However, the U.S. itself is missing from the list of countries in the Americas.

[mimugmail]

Pacific - United States .. at the bottom

[franco]

Those fancy countries with their spanning multiple regions...

https://github.com/opnsense/core/commit/7ebd5fcd


Cheers,
Franco

[rajl]

Those fancy countries with their spanning multiple regions...

https://github.com/opnsense/core/commit/7ebd5fcd


Cheers,
Franco

Yeah, when you don’t follow the ISO assignment for countries to continents, you get some dumb questions like mine. . You also end up with Russia in Asia and Turkey in Europe (to name a few other odd balls I saw).

EDIT: Correct iPhone Typos

[franco]

We cannot precisely follow ISO 3166 because the most prevalent provider of the codes which is tzdata does not include the Continent Code:

https://github.com/opnsense/core/blob/master/contrib/tzdata/iso3166.tab

So we extrapolate from the zone mapping...

https://github.com/opnsense/core/blob/master/contrib/tzdata/zone.tab

... and that is ambiguous because it maps time zones, not countries.


Cheers,
Franco

[dcol]

I do a two tier approach. Weeding out the top 10 worst spam countries with IPS, then the rest with GeoIP.
That way IPS can drop the highest traffic offenders before my firewall has to deal with it.

[marjohn56]

I use Spam Hero to handle all my inbound, takes the strain off my system, all the mx records point to them and they are not expensive. I use Geo Blocker for almost all countries except the ones I travel to most or need to have open. I've just found a quite useful list I've added as an alias, which is working well. it's in a straight text format so dead easy to import.

http://bl.plonkatronix.com/plonkatronixRBL.txt

Certainly stopped the 'plonker' who kept trying to get into my server.

[rajl]

We cannot precisely follow ISO 3166 because the most prevalent provider of the codes which is tzdata does not include the Continent Code:

https://github.com/opnsense/core/blob/master/contrib/tzdata/iso3166.tab

So we extrapolate from the zone mapping...

https://github.com/opnsense/core/blob/master/contrib/tzdata/zone.tab

... and that is ambiguous because it maps time zones, not countries.


Cheers,
Franco

  Leave it to ISO to create a standard that no one can follow.

Appreciate the technical explanation.  It makes sense.