Newbie: How install Geoip

Started by johnwwweissberg, September 26, 2019, 12:02:21 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
September 26, 2019, 12:02:21 AM
I have just started using Opnsense 19.7.

On the file system, these directories do not yet exist:

/usr/local/share/GeoIP/
/usr/local/share/GeoIP/alias

I have located the following script which should download and install Geoip tables:

/usr/local/opnsense/scripts/filter/lib/geoip.py


Questions:

1. Is there a way to install geoip from the UI?

2. What is the preferred way to install geoip? Should I simply run the above script from the command line?

3. Are there other pre or post installation steps required?

3. Are there
September 27, 2019, 09:00:39 AM #1
GeoIP is via Firewall: Aliases. Create a new alias as GeoIP type, select the required countries and use the alias in your firewall rules. That's it, no console magic involved.


Cheers,
Franco
October 03, 2019, 04:37:12 PM #2
I can create the Firewall Aliases using the type "Geoip".

The problems are:

1. The Geoip firewall rules are not functioning
2. As far as I can tell, Geoip is not truly installed in the sense that these directories are empty:

/usr/local/share/GeoIP/
/usr/local/share/GeoIP/alias


What is the best way to launch the geoip installation script?

October 03, 2019, 05:31:36 PM #3
Hmm, if you create an alias and the pftable for it get's populated (save and APPLY on Alias page in GUI) I don't see any reason why the fw rules based on the alias should not work (for you) :-)
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
November 13, 2019, 11:21:39 PM #4
I'm having an issue along these same lines.  I created an alias for countries I want to block and have an associated rule to block traffic from that alias.

When I reconfigure the firewall, I'm getting the following error in my logs:

configd.py: encode idna: unable to decode AO BF BI BJ BW CD CF CG CI CM DJ DZ EG EH ER ET GA GH GM GN GQ GW KE LR LS LY MA ML MR MW MZ NA NE NG RW SD SL SN SO SS ST SZ TD TG TN TZ UG ZA ZM ZW, return source

This seems to be new as of 19.7.6.  I'm interpreting this error (from the backend logs) to mean that Opnsense is unable to process the alias and that the firewall rule is not effective.

Brian
November 14, 2019, 08:51:14 AM #5
On 19.7.6 here, too. The Alias is populated and related domains are blocked... Apparently working as expected.
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
November 14, 2019, 10:07:49 PM #6
I have a similiar scenario and wanted to ask this.

I have a port forward setup to my DVR.  I want to block all countries except the US.  I set up the alias and appropriate firewall rule.

In my firewall rule, do i put the destination with my local lan dvr address?

How do i verify that this is being done/blocked?
November 15, 2019, 12:12:19 AM #7
Quote from: Mundan101 on November 14, 2019, 10:07:49 PM
I have a similiar scenario and wanted to ask this.

I have a port forward setup to my DVR.  I want to block all countries except the US.  I set up the alias and appropriate firewall rule.

In my firewall rule, do i put the destination with my local lan dvr address?

How do i verify that this is being done/blocked?

The GeoIP Alias should be the destination.  So source: LAN Net and Destination GeoIP Alias. 

You can check this is working but enabling logging on the rule.

Print
Go Up Pages1
User actions