Block traffic based on GeoIP

UltraLinuz · #1 January 7th, 2009, 00:28

I would like to add a rule to my pfi.conf that blocks any incoming traffic based on the geografic location of the IP-address.

for example I would only allow IP addresses from France to access my apache server. All other trafic should be blocked.

As it looks to me one can do pretty advanced thing in pf but I am a complete newbee to FreeBSD. It looks to me that one somehow needs to use GeoIP and use geoiplookup to determine the origin of the IP address.

Is this somehow possible?

**danger@** · #2 January 7th, 2009, 01:19

I doubt this is possible to do with any firewall package available in FreeBSD. One thing that comes to my mind is to do a geoip based dns routing, i.e. you route DNS queries from France to the real web server, and others, say, to 127.0.0.1...

I can provide you with a patch for bind to do that.

Djn · #3 January 7th, 2009, 05:48

Alternatively, you could set up a named list of blocked networks, and then use pfctl to populate it from a cron job?
(Assuming there's some way to pick out the networks representing the relevant countries.)

anomie · #4 January 7th, 2009, 18:37

Well, you could use the per-country IP network lists: http://www.ipdeny.com/ipblocks/

As a security measure I'm not sure how effective this will be against a determined attacker. He can simply stage an attack from inside one of the (many) allowed networks.

Djn · #5 January 7th, 2009, 23:50

True, but there are large botnets or something operating from a few specific countries - blocking them will remove quite a lot of the log noise.

UltraLinuz · #6 January 8th, 2009, 01:01

Hehehe! This looks great!

It's a little bit of a hassle handeling the files but it will work. I wasn't aware of ipdeny.com but it will basically result in the same, most likely even with better performance.

And indeed it's not a very reliable protection mechanism, but I'd like to get rid of all this spam and intrision attempts from these few countries I really never visit, mail nor offer any services to.

Maurovale · #7 January 12th, 2009, 00:23

Hi there is a Mod of geoip that you can use with apache (http://www.maxmind.com/app/mod_geoip).

But also as already been said you can you the IPs from ipdeny (http://www.ipdeny.com/) and use it directly with pf firewall or make a script to load the rules in your firewall in case you use ipfw.

Best Regards

Excalibur · #8 January 12th, 2010, 22:14

Well, using the ipdeny blocks seems to be a good idea. But won't that slow down things a bit? If you're blocking like 25 countries from a server like I'm doing with IPTables&GeoIP on RHEL, that would be crazy because of how many IP-blocks you need to add.

I'm not sure what is the best method to block 25+ countries w/o slowing down things like crazy.

Additionally, Apache's GeoIP isn't really that helpful, it doesn't prevent access to the server itself from blocked hosts.

Ideas/Suggestions?

Ruler2112 · #9 January 13th, 2010, 22:23

I created a script to block IPs listed in the EmergingThreats.org list, updating both the list and firewall from the nightly cron job. It would be very simple to run a separate copy from cron for each country you wish to block and thereby have an updated list and firewall for each.

There's also some discussion on the efficiency and memory usage of having huge tables of IPs to block in that thread. Basically, pf sorts the IPs when it adds them to a table so lookups are very fast and the amount of memory consumed is inconsequential.

That ipdeny site is great - I never knew such a thing existed before!

Excalibur · #10 January 13th, 2010, 22:34

I'm sorry, as I'm really new to FreeBSD, does this work with IPFW as well?

Quote:

Originally Posted by Ruler2112

I created a script to block IPs listed in the EmergingThreats.org list, updating both the list and firewall from the nightly cron job. It would be very simple to run a separate copy from cron for each country you wish to block and thereby have an updated list and firewall for each.

There's also some discussion on the efficiency and memory usage of having huge tables of IPs to block in that thread. Basically, pf sorts the IPs when it adds them to a table so lookups are very fast and the amount of memory consumed is inconsequential.

That ipdeny site is great - I never knew such a thing existed before!

ctaranotte · #11 January 14th, 2010, 11:25

I have found GEOIP more accurate than IPDENY (purely subjective).

mod_geoip is 100% working, maybe you should check your httpd.conf

Anyway, if you want to go the pf + GeoIP route:

1) jail httpd (man jail for more info)
2) look at net/tableutil in ports
3) visit tableutil home
4) look at the example of script handling peerguardian blocklists (GeoIP lists share the same format)
5) between

Code:

gunzip -c - | sed "s/.*:\([0-9.-]\)/\1/" | \

and

Code:

tableutil -q text 2> /dev/null > /tmp/blocklist

insert some grep instructions to keep only the countries of interests.

Last words, in this script, the pf table is in etc/pfdata/blocklist.

Good luck,

aragon · #12 January 14th, 2010, 17:46

You could do it in real time asynchronously with pflogd and a userland app. It would work something like this:

1. Setup a pf rule set with two rules that log: (a) block rule that blocks source addresses that are added to a pf IP table, (b) accept rule that matches the first packet of every connection that isn't blocked above.

2. Write a daemon that tails pflogd's log file and does a GeoIP lookup on each block and accept log entry. If the IP is french, remove it from the blocking IP table. If it is non-french, add it to the blocking IP table.

Ruler2112 · #13 January 14th, 2010, 23:40

Quote:

Originally Posted by Excalibur

I'm sorry, as I'm really new to FreeBSD, does this work with IPFW as well?

The script basically handles the downloading and management of old versions of the file you download, then runs a command to refresh the firewall table. So the script will, but I don't know how to do the ipfw portion of it. You'd have to figure out how to create a table in the firewall, then set the correct variable in the script to whatever shell command updates the firewall table.

sniper007 · #14 March 12th, 2010, 10:16

I figure out this site
http://www.ipaddresslocation.org/ip_...get_ranges.php

is more more accurate (for my country) than ipdeny.

The darkside of this page is output because don't create pure txt file with IP blocks, which is very useful for writing script (for updating)

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Routing all traffic through a VPN tunnel	telecommand	Networking	4	December 18th, 2011 18:11
Your favorite text based application	bsddaemon	Off-Topic	87	August 19th, 2010 18:19
[Solved] Best way for block ssh attack without Firewall	mfaridi	Web & Network Services	16	July 6th, 2010 09:54
Licensed based Forum software ?	senouf	Off-Topic	21	April 30th, 2009 19:33
port based traffic redirection	loko	Firewalls	2	November 20th, 2008 14:47

The Following User Says Thank You to danger@ For This Useful Post:
UltraLinuz (January 8th, 2009)

The Following 3 Users Say Thank You to anomie For This Useful Post:
jjthomas (January 13th, 2010), Ruler2112 (January 13th, 2010), UltraLinuz (January 8th, 2009)

The Following User Says Thank You to Ruler2112 For This Useful Post:
Excalibur (January 13th, 2010)