OPNsense Forum
Archive => 19.7 Legacy Series => Topic started by: pilotboy72 on November 14, 2019, 12:24:53 am
-
Hi,
I have an issue where GEOIP Aliases aren't resolving country codes to IP addresses. I created an alias for countries I want to block and have an associated rule to block traffic from that alias.
When I click on Apply to update the alias on the firewall, I'm getting the following error in my logs:
configd.py: encode idna: unable to decode AO BF BI BJ BW CD CF CG CI CM DJ DZ EG EH ER ET GA GH GM GN GQ GW KE LR LS LY MA ML MR MW MZ NA NE NG RW SD SL SN SO SS ST SZ TD TG TN TZ UG ZA ZM ZW, return source
This seems to be new as of 19.7.6 (or at least this is the first I've noticed it). I'm interpreting this error (from the backend logs) to mean that Opnsense is unable to process the alias and that the firewall rule is not effective.
I looked back and saw a similar defect reported in 19.7.3 and resolved in 19.7.4. Not sure if this has resurfaced or if I'm doing something wrong. Can someone provide some direction for me?
Brian
-
Hi Brian,
The log message isn't necessarily an error, it communicates that it can't decode the string to idna (which isn't a problem).
A long time ago we accepted several commits which in retrospective we shouldn't have done, they where aimed to provide cyrillic language support and came with a lot of issues. (I think this specific mess originates from https://github.com/opnsense/core/pull/2492 and surrounding PR's)
Since "AO BF BI BJ BW ..." isn't a valid IDN string (http://unicode.org/reports/tr46/) it returns the original one in this case, which is actually good. (I've added the log message at some point to be able to track these issues more easily).
Usually issues around geoip are either matching the wrong traffic or not being able to fetch the source data, the last one is easy to check using "Firewall -> Diagnostics -> pfTables" (alias should contain the country ranges).
We have thought about removing the IDN support in full at some point in time, since the way it's implemented will always be flawed, but for now we decided to leave it as is.
Best regards,
Ad
-
Makes sense. I looked at the diagnostic and I see a bunch of IP addresses in the table associated with the alias, so it is resolving, and I assume then that these are also being blocked, so all good.
Thanks for the response on this.
Brian