OPNsense Forum
English Forums => General Discussion => Topic started by: lar.hed on March 22, 2024, 09:34:58 am
-
Howdy,
So I am using an Alias for "Country Block" (GeoIP). Now for some reason I seem to open up an IP range that I seem to now days need. Now anyone using country blocking IP ranges knows it might fail at some time. In this cas this country is blocked since ages in my firewall, I never had to open up things like this. So I am a newbie on this, and well how do I do this?
In Alias documentation it says to add an ! to exclude from a Alias list. So:
!xxx.yyy.zzz.www/24
Let's say I have an "URL Table (IPs)" so I enter the name of the table in the "Content" box, say something like this:
https://raw.git.com/larhedse/list.txt
And it will read in the lot, say 1000 rows.
So now I need to do an exclusion, if I add a 2nd row to the above:
https://raw.git.com/larhedse/list.txt
!xxx.yyy.zzz.www/24
And now I will have zero rows in that table - exlusion yes, but on ALL rows. So what do I do wrong?
-
The docs say the ! to exclude is only available with the "Hosts" type of alias.
In your case you are using the type "URL Table (IPs)". I think this is why it behaves unexpectedly.
How to do it? Not sure in your case unless I started playing BUT if you are using GeoBlock, why are you not using the recommended way, with type GeoIP and exclude/include the country as per the same documentation? Does require to use maxmind though.
-
If you think about it, what you want is some kind of set subtraction, which is not an easy task if the first set can itself be constructed by a list of expressions. Imagine IPv6 ranges to get a clearer picture.
There are two ways of doing this:
a. If you can control the list yourself, exclude the ranges you do not want in it yourself (Maxminds GeoIP list with selectable country ranges is a good example). This is not set subtraction, but set addition, which is much easier.
b. What you probably really want to do is something to the extent of "whitelisting" something before you add generalized block rules. In this case, you can use a separate rule with the whitelisted set which triggers before the block list.
-
Sorry my mistake, and the confusion that follows...
Yes I do use the built in GeoBlock for Country Blocking. However I thought I do a test for exclusion, and since the documentation, under nesting gives an example on ip range exclusion:
https://docs.opnsense.org/manual/aliases.html#nesting (https://docs.opnsense.org/manual/aliases.html#nesting)
Here one example says that one can exclude IP range or just IP address (host) by using !.
So there is about where I started, and then I created rather private test file on github to filter a bunch of ranges I don't need (I thought) so here is that one:
https://raw.githubusercontent.com/larhedse/hostnamelistan/master/Blocklistan.txt
Now row 7 in the above file includes the "81.224.0.0/12" range - it is a pretty large one right...
So that breaks one thing for me, I need to access IP address "81.228.3.233"
So I thought in this scenario that I just exclude that according to the nested (yes I know, it shows nested in there - but do I really need to nest Alias to achieve this?), so the result was:
https://raw.githubusercontent.com/larhedse/hostnamelistan/master/Blocklistan.txt
!81.228.3.233This does not work.
So I changed to IP range:
https://raw.githubusercontent.com/larhedse/hostnamelistan/master/Blocklistan.txt
!81.228.3.0/24
Still does not work. Oh and by the way, the only way for me to test this is to duplicate the Alias - just changing it will NOT work, that updates the definition in the content field, but the Alias is not reloaded so to speak. So the last one above results in zero rows.
So I guess what I am trying to figure out now, is if the documentation that mentions exclude of IP(/-address) - how does that work, since the documentation under "Nested" suggests it should work? somehow? or what is it that I am missing?
-
If you think about it, what you want is some kind of set subtraction, which is not an easy task if the first set can itself be constructed by a list of expressions. Imagine IPv6 ranges to get a clearer picture.
There are two ways of doing this:
a. If you can control the list yourself, exclude the ranges you do not want in it yourself (Maxminds GeoIP list with selectable country ranges is a good example). This is not set subtraction, but set addition, which is much easier.
b. What you probably really want to do is something to the extent of "whitelisting" something before you add generalized block rules. In this case, you can use a separate rule with the whitelisted set which triggers before the block list.
Yes of course - Large thanks, why did I not add a rule before to take care of this? stubbern I guess by reading the documentation and missing such an easy solution! And yes I understand how you mean with resolving part of range and that - it is nearly impossible to get that right. I should have used my mind a bit more.....