[Solved] 19.7.3: GeoIP based firewall rules on the secondary HA partner broken

Started by rainerle, September 04, 2019, 06:41:51 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
September 04, 2019, 06:41:51 PM Last Edit: September 06, 2019, 12:13:21 AM by rainerle
Hi,

as suggested I open a separate thread for above mentioned problem.

During a HA take over services on the BACKUP HA partner are not available since the GeoIP based firewall rules block them.

Running the following scripts on the CLI
/usr/local/opnsense/scripts/filter/download_geoip.py
/usr/local/etc/rc.filter_synchronize
/usr/local/etc/rc.filter_configure

The GeoIP DB files under /usr/local/share/GeoIP/alias are updated but the rules still allow no access to the service.

Adjusting the rules by changing from GeoIP to any restores access to the service. So I am sure it is related to the GeoIP based rule.

Thanks
Rainer
September 04, 2019, 10:08:14 PM #1
I try to reproduce tomorrow, just to sum up: I have a HA CARP setup, only allow connections incoming from GER, when FO occurs I can't connect from GER, correct?
September 04, 2019, 10:53:25 PM #2
Yes. Just as an example ICMP ping allowed from Hosts in Germany. Sync the Firewall rules using XMLRPC sync. Then failover to the BACKUP HA system. Ping to CARP Virtual IP and Host IP does not get a reply.

I do not even get a PING reply on the BACKUP HA system before the failover.
September 05, 2019, 02:51:52 AM #3
What about the alias tables under /var/db/aliastables? Are you being blocked because your address is or is not in one of those (because it is not updating?) There was just a commit to address geo ip alias tables not updating (no expiration set in config)

If your alias tables in there are not actually updating try opnsense-patch ae5692b which includes setting a default expiration of 1 day.
September 05, 2019, 12:46:30 PM #4
Firewall : Diagnostics : pfTables

You alias is filled with content on both? On a fresh system I was missing the GeoIP folder .. so there seems something wrong.
September 05, 2019, 01:43:16 PM #5
Is your alias named like your country? I had this issue, just apply this patch:


https://github.com/opnsense/core/commit/3ef14d17e3b4f4ed38cbe8a9a3861ca5914ee59e
September 05, 2019, 01:44:34 PM #6
I checked Firewall : Diagnostics : pfTables for the GeoIP aliases - there are IP networks in those aliases.

After running
/usr/local/opnsense/scripts/filter/download_geoip.py
the files under
/usr/local/share/GeoIP/alias
are updated and contain entries. So that seems to work.

Looking at /var/db/aliastables:
root@opnsense02:/var/db/aliastables # ls -lart GeoIP_D*
-rw-r-----  1 root  wheel       0 Jun 11 10:11 GeoIP_D_A_CH_RO.self.txt
-rw-r-----  1 root  wheel      32 Jun 11 10:11 GeoIP_D_A_CH_RO.md5.txt
-rw-r-----  1 root  wheel       0 Jun 11 10:11 GeoIP_D_A_CH_RO.txt
-rw-r-----  1 root  wheel  411223 Jul 30 02:51 GeoIP_D.self.txt
-rw-r-----  1 root  wheel      32 Jul 30 02:51 GeoIP_D.md5.txt
-rw-r-----  1 root  wheel  411222 Jul 30 02:51 GeoIP_D.txt
-rw-r-----  1 root  wheel  636862 Jul 30 02:51 GeoIP_D_A_CH_plus.self.txt
-rw-r-----  1 root  wheel      32 Jul 30 02:51 GeoIP_D_A_CH_plus.md5.txt
-rw-r-----  1 root  wheel  636861 Jul 30 02:51 GeoIP_D_A_CH_plus.txt
root@opnsense02:/var/db/aliastables #

These entries seem outdated and one is even empty...

After applying patch ae5692b and running
/usr/local/etc/rc.filter_configure
the files in /var/db/aliastables are updated and now the GeoIP aliases work...

Cool!

Thanks for mentioning the patch!

Do I need to schedule /usr/local/opnsense/scripts/filter/download_geoip.py in System : Settings : Cron by myself? Or is it run somehow else periodically?

September 05, 2019, 02:05:58 PM #7
Quote from: rainerle on September 05, 2019, 01:44:34 PM

Thanks for mentioning the patch!



Ad wrote it after I tried to reproduce and pinged via IRC ;)
Print
Go Up Pages1
User actions