GeoBlocking while keeping sane table sizes

[9axqe]

Hello all,

I noticed geoBlocking can very quickly make the fw tables grow into something my DEC695 will not support (max 1000k entries).

Any tricks on how to optimize?

I currently have two aliases:
* block all outbound to certain geographies (IPv4 and IPv6)
* only allow inbound from certain geographies, applies to specific ports which are open on my fw, both for IPv4 and IPv6.


That alone is already ~500k entries in my case.

Is there a smarter way to do geoblocking? I know geoBlocking is no panacea in security, but I do like it as some additional line of defense if you want, kind of keeps the "dumb brute force" stuff out.

[meyergru]

You can enlarge the default table sizes under  "Firewall: Settings: Advanced".

[9axqe]

 Thanks, I guess I need to monitor my memory usage after increasing it.

[doktornotor]

Dunno what's DEC695 HW specs, 500K table entries will eat about 0,5G of RAM, if that's a problem, getting better HW sounds like a good idea. Adjust the settings and move on?

[cookiemonster]

How are you implementing geoblocking?
I am using the documented way in the docs for OPN using maxmind's free database. If I read the values correctly, looking at the alias sizes from the Firewall > Diagnostics > Alias, the geoip : Showing 1 to 20 of 132288 entries. So I read 132K entries. Some of them I expect are very large networks. There is no netmask next to any entry.
Also one of the Alias' values in the OPN UI shows  Total number of ranges= 949942
Finally, my usage is 21% (214350/1000000). Using default table size.

HIH.

[9axqe]

Hello,

thanks for replying, appreciate.

yes I got a maxmind license and opnsense downloads 949942 ranges from maxmind according to Firewall > Aliases > GeoIP Settings.

Under Firewall > Aliases, the incoming allow alias (includes US and 4 other countries) says that "loaded#" is 351292 already.

Firewall > diagnostics > Aliases shows the same: "Showing 1 to 20 of 351292 entries"

I did find one mistake, where I had two aliases with overlapping countries in in, which was wasteful, I fixed this, but now I'm out of ideas to further compress these IP ranges. I guess it's not possible.

Side question: how can I get an email for any alarm that shows up in the GUI at the top, in red? I'm trying to set this up with monit but struggling. Asking because earlier I messed up, the firewall tables weren't loading properly anymore because I had hit 1M entries and I didn't immediately noticed the red dot at the top.

[cookiemonster]

The usage of tables and memory for this geopi is 21% of the default total, so why do you think in your case is the cause of a size your hardware won't support? A bit unclear there.

[9axqe]

My memory usage is 25%, which is comfortable, but my table usage is 64% and led to a single goIP alias misconfiguration putting me above the 1M entries limit.

I really need to set myself a correct monitoring solution that alerts me to this type of misconfiguration/errors.

[dishtix]

Misread... nvm

GeoIP route tables get large, no way around this especially for large countries.

[cookiemonster]

Misread... nvm

GeoIP route tables get large, no way around this especially for large countries.

That is very true but sometimes the more efficient way to deal with that is to use the opposite, alas instead of blocking every country except one, to only allow that country.

[tangofan]

Misread... nvm

GeoIP route tables get large, no way around this especially for large countries.

That is very true but sometimes the more efficient way to deal with that is to use the opposite, alas instead of blocking every country except one, to only allow that country.

A potential pitfall with that approach (of using explicit allow-lists for countries) is that some ip-address-blocks might not be in Maxmind's database. I remember a forum post (on this forum IIRC) where the poster noted that their current ip-address did not have a country assigned. In such a case you wouldn't be able to connect to such ip-addresses when using allow-lists.

[dishtix]

I originally wrote something about using ASNs, its can be more work to build up but just as effective with a smaller footprint.

Another option is to cook up a nice ip table list and using sources from emergingthreats etc, you can find lists for almost anything. It should be able to keep most of the riffraff off your servers without the necessary load of large geoip lists.

Here is my default blocklist, compiled from PRI1 Feed collections from pfB.

https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt
https://sslbl.abuse.ch/blacklist/sslipblacklist.txt
https://cinsarmy.com/list/ci-badguys.txt
https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
https://rules.emergingthreats.net/blockrules/compromised-ips.txt
https://www.spamhaus.org/drop/drop.txt
https://www.spamhaus.org/drop/edrop.txt
set a 24hr refresh.. 

OP wasnt very specific in what he wanted to block other than certain countries..