Core 150 - Geoblocking blocks everything from GREEN

After updating to Core 150 out networking wasn’t not functioning anymore. We could not even reach the web interface / GUI of ipfire. This could only be achieved by whitelisting all connections from GREEN in iptables’ CUSTOMINPUT chain.

After 2 hours of searching it turned out that everything worked again by turning off the GeoIP-blocking. If you view the iptables page in the web GUI one can see that the LOCATIONBLOCK chain listens on all interfaces or ‘*’. I think it should only listen on RED.

1 Like

Today I ran into the same problem and tracked it to the LOCATIONBLOCK chain.

While it occoured after an upgrade from core149->core150 it also happened on a new install of core150, and blocking of all connections to GREEN persists in core151rc.

I did a rollback to 149 as this instance is only used as Location-Blocker for my homelab and Location-Filter is useless or worse in every version >core149

1 Like

Hello same issue here. How do you stop geoblocking via the cli? Thanks for any clue

Also how did you revert to149?

No I didn’t revert to 149. I allowed access from green as mentioned here: https://forum.ipfire.org/viewtopic.php?f=27&t=18730&p=107607&hilit=custominput#p107605

Then I could deactivate geoblocking via webgui. Now it works, but I don’t have geoblocking active…

I reinstalled core149 from ISO :sweat_smile:

My solution to the No-GUI-Problem was to login as root on the CLI and navigate to /var/ipfire/firewall where I moved the locationblock file to locationblock.old. Then I ran /usr/local/bin/firewallctrl and the connections started to work again. To disable the defunct Location-Filter in GUI I moved the .old file back before accessing the GUI.

3 Likes

you rock man, that did the trick, thanks alot, was about to reinstall 149 :roll_eyes:

So is this a Bug for Bugzilla or how do we get the Devs to take a look?

I hate Bugzilla with a passion…

Copied initial posting to https://bugzilla.ipfire.org/show_bug.cgi?id=12499 and linked to this thread. I hope someone will see it.

2 Likes

THX, I was just now struggling to word the Bugzilla entry :sweat_smile: :+1:

As advised on the bugtracker I ran ‘location update’ as root from CLI. Got the database from Tue, 13 Oct 2020 08:21:56 GMT

With this database the location filter works as intended as far as I can see, no GUI or SSH lockout, traffic flows as it should.

This seems to be a dud database in the upgrade and/or install files and insufficient checks on the validity of the database when such a thing can bring down all connectivity :thinking:

One hour ago i did the update from 149 to 150 and some minutes later i run in the same problem. No internet connection anymore, no wui, no ssh. After a quick search here i tried @bladerunner tipp “location update” but it won’t work because i’m “Already on the latest version”.
So i had to rename /var/ipfire/firewall/locationblock and run firewallctrl. After that everthing was good again.
Now geoblocking is diabled until the bug is fixed…

Perhaps I should have mentioned that I disabled location-block before the Upgrade from 149->150 and then ran the “location update” from SSH shell, which got me a new location database.

Only after all this I re-enabled the location-block, that has worked for the last few hours.

Progress is reported in the bugtracker, one of the devs already picked up on @user-0815 entry.

Hi,

to avoid duplicates, I am going to close this tread in favour of No more access to ipfire - Core 150 | Location-Filter.

Please find all relevant information about this issue, the progress we made while solving it, and other aspects in this post in the mentioned thread.

No offense is intended, we just try to keep track of one problem in one thread. Thanks for your understanding. :slight_smile:

Thanks, and best regards,
Peter Müller