Location Block not Blocking Checked Location

Upgraded to Core 148. I have China (CN) blocked in the Location Block, but still see 89 hits (as of now) in the Fw-Loggraphs by Country. I unchecked and re-checked the box, but still see the hits increasing. I have several other countries blocked, but CN is the only one creeping through. Thoughts?

“Sheet happens”. :slight_smile:
IMVHO not all the ip addresses are located perfectly into the world (some french ISP/phone provider operating in italy are still considered french by some GeoIP packages).

Understood. Thanks.

Hi,

IMVHO not all the ip addresses are located perfectly into the world (some french ISP/phone provider operating in italy are still considered french by some GeoIP packages).

this is true in certain cases, but should not be a general apology. :slight_smile:

@eggman: To make sure we are not dealing with a bug here, could you please post the offending Chinese IP addresses here so we can have a look at the location results for them?

Thanks, and best regards,
Peter MĂĽller

Here you go…

Source
202.108.219.98
125.66.113.91
117.28.25.50
183.57.46.131
115.238.181.22
106.124.131.194
210.34.24.80
221.210.54.80
113.14.247.42
180.153.68.54
222.186.133.223
111.75.248.5
125.89.55.102
111.202.97.86
122.224.189.82
119.254.78.216
101.91.207.208
60.12.109.73
60.191.111.243
140.206.168.198
49.88.168.211
59.46.96.12
111.202.97.86
1.192.144.72
60.191.125.35
118.126.113.29
54.222.236.245
54.222.236.245
54.222.236.245
49.88.112.109
49.74.122.236
49.74.122.236
119.57.89.126
42.86.77.228
61.157.168.132
58.213.48.219
219.146.242.110
1.203.80.2
112.29.172.102
112.29.172.102
58.215.12.226

1 Like

Those are from today (Sept. 7). If you want other logs from the days post-upgrade, let me know.

Hi Bill,

thanks for your reply. Meanwhile, this turned out to be a bug (#12480) and will be fixed in upcoming Core Update 150.

Thanks, and best regards,
Peter MĂĽller

Glad to help!

Getting some more firewall hits from a blocked country. This time from Brazil:

179.107.48.144
179.107.48.47
179.107.51.131
179.107.54.60
179.107.50.203
179.107.49.192
179.107.51.212
179.107.50.107
179.107.51.107
179.107.55.48
179.107.50.156
179.107.50.95
179.107.52.251
179.107.53.182
179.107.54.136
179.107.51.67
179.107.51.132
179.107.52.113
179.107.48.55
179.107.50.38
179.107.53.117
179.107.48.177
179.107.52.221
179.107.53.87
179.107.55.27
179.107.54.225
179.107.55.225
179.107.51.153
179.107.54.72
179.107.50.76
179.107.54.205
179.107.50.157
179.107.48.215
179.107.48.63
179.107.55.130
179.107.49.173
179.107.49.56
179.107.54.39
179.107.48.116
179.107.55.225
179.107.55.92
179.107.53.84
179.107.48.15
179.107.55.152
179.107.55.197
179.107.50.142
179.107.53.219
179.107.49.167
179.107.50.80
179.107.53.80
179.107.49.205
179.107.50.78
179.107.55.166
179.107.51.78
179.107.49.15
179.107.51.78
179.107.50.174
179.107.49.84
179.107.48.252
179.107.50.93
179.107.52.234
179.107.48.152
179.107.55.242
179.107.48.109
179.107.48.4
179.107.52.44
179.107.55.177
179.107.55.79
179.107.48.109
179.107.53.47
179.107.51.125

Registrar is argentinian…
Joint Whois - whois.lacnic.net
% This server accepts single ASN, IPv4 or IPv6 queries

% LACNIC resource: whois.lacnic.net


% Copyright LACNIC lacnic.net
%  The data below is provided for information purposes
%  and to assist persons in obtaining information about or
%  related to AS and IP numbers registrations
%  By submitting a whois query, you agree to use this data
%  only for lawful purposes.
%  2020-10-19 13:55:29 (-03 -03:00)

inetnum:     179.0.0.0/23
status:      assigned
aut-num:     N/A
owner:       NEURALSOFT S.R.L.
ownerid:     AR-NESR9-LACNIC
responsible: Gustavo Javier Cayetano Viceconti
address:     Presidente Roca, 1626, 
address:     2000 - Rosario - SF
country:     AR
phone:       +54 341 4090555
owner-c:     TOC6
tech-c:      TOC6
abuse-c:     TOC6
inetrev:     179.0.0.0/23
nserver:     REVERSE.NEURALSOFT.COM
nsstat:      20201019 AA
nslastaa:    20201019
created:     20130412
changed:     20130412

nic-hdl:     TOC6
person:      Tomas Cribb
e-mail:      tomas.cribb@neuralsoft.com
address:     Pte. Roca, 1626, 
address:     2000 - Rosario - SF
country:     AR
phone:       +54 341 4090555
created:     20110430
changed:     20110430

% whois.lacnic.net accepts only direct match queries.
% Types of queries are: POCs, ownerid, CIDR blocks, IP
% and AS numbers.

Hi,

@eggman: I assume you have installed Core Update 150. Could you please post the output of location version here?

@pike_it: Yes, however, we will not be able to provide that information, as LACNIC does not provide data for sub-allocated networks.

Thanks, and best regards,
Peter MĂĽller

I have 2.25 150 installed.
I have applied recent rules.pl fix for private addresses & Red interface.
I block all countries except my own. I am getting dropped attempts logged from all over the world.
I tested as follows:
Set up rule for IPFire web admin from my country on Red.
Connect to firewall web interface via mobile phone 4G (same country). Disconnect.
From Green LAN, block my country in Location Block, apply firewall rule update.
Attempt web admin login from mobile (Red) again. Still works.
Waited some time for existing connections to drop, re-tried, still works.
Previously having a location blocked would override any firewall rule using that country.
Similarly, having all countries blocked, there would be very few dropped attempts logged.
Seems like location blocking not working.

Hi,

I am getting dropped attempts logged from all over the world.

first: Why do you even worry about them? Those packets were dropped, so they do not present any danger at all.

I tested as follows:
Set up rule for IPFire web admin from my country on Red.
Connect to firewall web interface via mobile phone 4G (same country). Disconnect.
From Green LAN, block my country in Location Block, apply firewall rule update.
Attempt web admin login from mobile (Red) again. Still works.
Waited some time for existing connections to drop, re-tried, still works.
Previously having a location blocked would override any firewall rule using that country.
Similarly, having all countries blocked, there would be very few dropped attempts logged.

This sounds like there is something wrong entirely on your system, whereas in this thread, it looks like at least some parts of the location database are working. Could you please up another thread for your problem?

Seems like location blocking not working.

Since you have already ranted in another thread about this, I cannot resist responding: You are absolutely free to build your own location database from scratch (@ms literally worked weeks on this, and I have spent hours on the phone with him to get to the point where we are, but hey) and do things better.

Do you think we did this voluntarily?! The GeoIP database was terrible enough, out-dated and we were facing licensing issues with it. Changing to another proprietary provider is not a sustainable solution.

Unless you provide a proposal to do this better, please go rant somewhere else.

Thanks, and best regards,
Peter MĂĽller

1 Like

Hi Peter,
Thanks for your support.
I am not having a rant. you would soon know if I was.
I was just giving a heads up on potential filtering issues.
My firewall was reinstalled from a 2.25 150 ISO and a 150 backup applied.
I have checked the other firewalls I maintain and same problem.
Maybe I edited rules.pl incorrectly?
Will have to wait for 2.25 151 release and take from there.

Yes. 150. I’m not quite sure to what the “output of location version” refers, although the hits from Brazil have dissipated since I posted those IPs five days ago. Can you help me understand more about what you need?

Hi Bill,

by “output of the location version” I was referring to the output of this command:

location version

Sorry for not being precise here.

Thanks, and best regards,
Peter MĂĽller

P.S.: Just for the records: Core Update 151 has been released today. :slight_smile: