Hi everyone,
I've just upgraded my firewall to 20.7, and I'm experimenting a change in the GeoIP's functionalities.
I have a GeoIP-alias with 4 countries: BE-FR-DE-UK
I have a wan rule, just after the "automatically generated rules":
- source: GeoIP alias ; port: *, proto: IPv4 TCP/UDP
- destination: this firewall
Before the upgrade, this rule was working as expected.
Since the upgrade, the rule seems not to be applied, packets are dropped by the default deny rule.
Here is a test, from an ip in 37.164.0.0/14:
- with source=GeoIP alias, packets dropped by defaut deny rule
WAN Aug 3 15:09:58 37.164.x.y:z 8.x.y.z:w tcp Default deny rule
WAN Aug 3 15:09:58 37.164.x.y:z 8.x.y.z:w tcp Default deny rule
WAN Aug 3 15:09:54 37.164.x.y:z 8.x.y.z:w tcp Default deny rule
- changing source from GeoIP alias by the public ip of the device, packets allowed by the rule
WAN Aug 3 15:11:26 37.164.x.y:z 8.x.y.z:w tcp WAN_GeoIP_In
WAN Aug 3 15:11:26 37.164.x.y:z 8.x.y.z:w tcp WAN_GeoIP_In
WAN Aug 3 15:11:25 37.164.x.y:z 8.x.y.z:w tcp WAN_GeoIP_In
I had a look in the alias GeoIP settings:
- last update: 2020-07-28T16:43:02
- Total number of ranges: 402405
Just to be sure, I had a look in /usr/local/share/GeoIP/alias, in FR-IPv4, the range of the device is present:
37.164.0.0/14
Edit: I went in pfTables, and the alias is not populated.
BTW, the corresponding file in /var/db/aliastables is populated...
Is this normal?
Any advice ?
Thanks,
Goldorak92
My geo IP rules aren't working either. Not sure why, looks like the download has worked but hasn't downloaded a new one since the 28th. Not sure how it knows to download, maybe only when there are deltas? I've had to remove my geo filtering to get things up and running again.
Hi @FullyBorked,
The date of the last "update" is relating to the last date of files on Maxmind's website, with is the 28th for GeoLite2 Country file: "Updated: 2020-07-28 "
To see the update / integration, you can go to "systeme / Logs / General" and apply filter "Geo" :
2020-08-03T17:27:25 /update_tables.py[76199]: geoip updated (files: 499 lines: 402405)
Last integration today for me, but still not working... :'(
Goldorak92
Quote from: Goldorak92 on August 03, 2020, 06:18:42 PM
Hi @FullyBorked,
The date of the last "update" is relating to the last date of files on Maxmind's website, with is the 28th for GeoLite2 Country file: "Updated: 2020-07-28 "
To see the update / integration, you can go to "systeme / Logs / General" and apply filter "Geo" :
2020-08-03T17:27:25 /update_tables.py[76199]: geoip updated (files: 499 lines: 402405)
Last integration today for me, but still not working... :'(
Goldorak92
Ah thanks for the update clarification, I had no clue lol. But doesn't explain why mine isn't working either, my guess is it's just another 20.7 bug that will need squashing.
Hi,
I did a new test: went in pfTables, listed entries for the GeoIp alias = empty.
Added the range off my public IP by "Quick add address", GeoIp alias got one entry
And the rule is evaluated and packets pass...
Ok, got it.... next...
Then went in alias, add a new country, save and apply
Back in pfTables and..... the alias is fully populated (with all countries's ranges).
The first rules (with GeoIp alias) is now fully evaluated.
Edit:
Seems that there was a problem with writing in alias's file before I forced that via pfTables.
Just tried to add more countries and.... it breaks the alias (no more populated).
I tested to add country by country, and the amount off entries growed too 19048 and no more, even if adding more countries.
I'm going to test that more
If it can help someone :)
Cheers,
Goldorak92
i have exact the same problem, when the GEOIP is there it breaks the rules and it drops everything
Quote from: Goldorak92 on August 04, 2020, 01:30:45 PM
I did a new test: went in pfTables, listed entries for the GeoIp alias = empty.
How do you list these entries in the alias? Can you provide file location and syntax?
@FullyBorked,
You just have to go in the menu "firewall => Diagnostics => pfTables", and select your alias in the drop menu to see if the alias is populated.
Goldorak92
Quote from: Goldorak92 on August 04, 2020, 07:04:18 PM
@FullyBorked,
You just have to go in the menu "firewall => Diagnostics => pfTables", and select your alias in the drop menu to see if the alias is populated.
Goldorak92
Oh I C, i've learned a lot in this thread lol.
Looks like my alias's are empty as well. Going to see if I can get them working using your method.
I can't get my lists to fill, no matter what I do. I tried following your method. It removes the quick add IP when I try and build the alias. Don't really understand what's happening here.
@FullyBorked
I had to add an IP in the pfTables menu, then go back to alias, empty selection and save, go back in alias, add one country, save, go back to pfTables to verify,... And so on to add 2 to 4 countries....
Goldorak92
Hi,
I went a little further....
Looking in files corresponding to my GeoIp alias in /var/db/aliastables:
:/var/db/aliastables # nl GeoIPWanAllow.txt
...
...
59858 99.78.160.0/21
59859 99.78.168.0/23
59860 99.82.161.0/24
59861 99.82.163.0/24
59862 99.82.169.0/24
When I go to "Firewall => Diagnotics => pfTables" for the same alias, it's showing "only" 19048 entries...
When additionning lines of files in " /usr/local/share/GeoIP/alias/" for checked countries in my alias defintion, result is 59862....
When I use the "Find references" button in pfTables, if I search an IP in the first 19048 entries, process find the entry. If I search an entrie between 19048 and the end of the alias file, process doesn't find the entry.
It seems that writing the alias is well done from countries's files, but the load "in pfTables" doesn't go at the end...
Goldorak92
I'm glad you're able to get it to add anything to the alias, no amount of anything I seem to be able to do will add a single address to that file. Even the bogons is empty until i click the "update bogons" and at some point even it will clear out and require pressing the "update bogons" again. Something is goofy with these alias's right now. The only ones that appear to work is a manual alias with two networks I made.
Reading the threat it shows Solved.
i ve readen it carefully for over 5 times but cannot quite see the result.
mine it doesnt works at all the logs shows
2020-08-06T15:50:02 /update_tables.py[35043]: geoip updated (files: 499 lines: 404488)
2020-08-05T15:49:01 /update_tables.py[78660]: geoip updated (files: 499 lines: 404488)
2020-08-04T15:48:02 /update_tables.py[26100]: geoip updated (files: 499 lines: 402405)
2020-08-03T15:47:02 /update_tables.py: geoip updated (files: 499 lines: 402405)
Created new aliace, updated/removed but no ip shows up.
Hope someone can explain how to get this set up.
it all started to work for me once I enabled the Destination / Invert in the rule (?!?!?)
Then checked the pftop and filtered by rules and immediately I start seeing they been populated with data, another check on my software and I saw correctly filtering by GeoIP.
anyone has any idea why is this happening and what Destination / Invert is doing ?
It seems to be working very well. I left it for one whole night and not even one issue with it ,the proper GeoIP IPs are being blocked , perfectly well but I still do not understand what this Destination / Invert is !?
I understand it is inverting the match you specify earlier but for me it should work the other way around!
Thanks
Vladi
Can you please change to UnResolved.
as people and developers thinks its fixed.
is the IDS using thise GEOPIP as wel?
i have our Production still at OPNsense 20.1.8_1-amd64 amd dont want to update yet as we need the GEOIP
Hi Julien,
Topic title changed.
And no, IDS's not using the GeoIP alias...
Goldorak92