OPNsense Forum
English Forums => Intrusion Detection and Prevention => Topic started by: cookiemonster on July 06, 2021, 04:56:09 pm
-
Hi, I'm struggling to confirm if I've setup GeoIP correctly and the logging (or lack thereof) is the expected behaviour.
I have an SSH server in the LAN that I wish to protect with GeoIP blocking. It listens on default port 22.
The setup in OPNS is as per the manual signup to maxmind and setup an Alias called "GeoProtect_Allow" and select only UK from all countries.
NAT rules has the port forward:
LAN TCP * * LAN address 22, 80, 443 * * Anti-Lockout Rule
LAN TCP/UDP * * ! LAN net 53 (DNS) 192.168.5.154 53 (DNS)
WAN TCP * * WAN address 22 (SSH) 192.168.5.2 22 (SSH)
My WAN firewall rules have the GeoIP just after the default bogons,dhcp and these manual ones:
log,first match IPv4 UDP * * WAN addres 1193 * * vpn_in
log,first match IPv4 TCP ! GeoProtect_Allow * WAN address 22 (SSH) * * GeoIP_SSH_Allow
log,first match IPv4 TCP * * 192.168.5.2 22 (SSH) * *
So if I understand correctly the second WAN rule says block the incoming connections to port 22 unless they are in coming from UK. It is set to block. The last one is set to pass.
Troubleshooting so far:
- I've changed from an alias to include all countries I want to block to just the one I want to allow and adjusting the WAN rule to pass. I settled with the current other way around as I think it more logical to be more efficient.
- I've checked there are tables with ip populated in /var/db/aliastables/GeoProtect_Allow.self.txt
- I've checked the rules appear in /tmp/rules.debug
- Followed /var/log/filter/filter{date}.log
My questions:
1. I see in the firewall live logs no record of blocks. Is this expected? The WAN rule is set to log.
2. I see in the firewall live logs records of passes and returns and the respective hits on my SSH server with the auth failures from break-in attempts. The source IPs are from countries expected to be blocked by the rule according to whois checks. How can I verify another way that it is indeed blocking? Other logs?
Thanks in advance.
-
I am on OPNsense 21.1.6-amd64 by the way
-
I've created the same rule in LAN and still the same problems, no logging and no blocking.
Clearly I'm doing something wrong. I'll appreciate a pointer or two please.
-
Solved finally.
Note to self: the destination needed to be LAN Net.
Why, I don't know. I thought I was grasping the source and destination concepts in OPS but clearly I have much to learn.
-
Correct me if I am wrong, but you should never set the GeoIP to allow only a specific country. GeoIP should only be used to block using a Source/Invert to that GeoIP country list.
Reason is that Maxmind does NOT have every IP of a country. I know this for a fact for US IP's. Maxmind country list does not even have my IP or any of my clients IP's in their US database. So, for example, if I Allow only US as the source, then every one of my clients including myself will be blocked.
And I use the paid subscription service, not the free one. Funny thing is, Maxmind has our IP's in the City database, but not the country.
Any opinions on this?
-
I did not know that, thanks.
I'll need to revise then. It still makes sense to me that is more efficient to lookup one country list to allow than it is to look up many to block and since there will still not be all ips included, it will move from missing some ips to allow, to missing some that should blocked. So it's a case of deciding which is preferable I guess.
I'll revisit the rule in this case and I need to be careful with my memory and cpu constricted system.
Thanks again dcol.
-
I agree that it would be better to just allow a few than block many. What to keep in mind is Maxmind's database is not all encompassing so it is better to block the bad then just allow the good. At least you will know you got most of the unwanted.