PF GeoIP whitelist or blacklist of states

Killua

New Member


Messages: 9

Hi Guys, i don't find nothing on the net about GeoIP for PF, I searched a lot but nothing, I need to block states or create a white list of states that can access the server so I can make things easier for myself, could anyone help me?

place here at the bottom of my pf configuration that is pf.conf

I willingly accept advice on my configuration, I hope you can help me with the geoip

Code:
# Source and tutorial -  https://www.cyberciti.biz/faq/how-to-set-up-a-firewall-with-pf-on-freebsd-to-protect-a-web-server/
# /usr/local/etc/pf.conf
#
## Set your public interface ##
ext_if="vtnet0"



## Set your server public IP address ##
ext_if_ip="myIP i just removed it"

## Set and drop these IP ranges on public interface ##
martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
0.0.0.0/8, 240.0.0.0/4 }"

## Set http(80)/https (443) port here ##
webports = "{https}"

## enable these services ##
int_tcp_services = "{domain, https, ssh}"
int_udp_services = "{domain}"




## Skip loop back interface - Skip all PF processing on interface ##
set skip on lo

## Sets the interface for which PF should gather statistics such as bytes in/out and packets passed/blocked ##
set loginterface $ext_if

### Set default policy ##
#block return in log all
#block out all


set block-policy drop
set debug urgent
set limit { frags 10000, states 30000 }
set loginterface $ext_if
set optimization normal
set ruleset-optimization none
set skip on lo
set state-policy if-bound

# Deal with attacks based on incorrect handling of packet fragments
scrub in all

# Drop all Non-Routable Addresses
block drop in quick on $ext_if from $martians to any
block drop out quick on $ext_if from any to $martians

## Blocking spoofed packets
antispoof quick for $ext_if

# Open SSH port which is listening on port 22 from VPN 139.xx.yy.zz Ip only
# I do not allow or accept ssh traffic from ALL for security reasons
#pass in quick on $ext_if inet proto tcp from 139.xxx.yyy.zzz to $ext_if_ip port = ssh flags S/SA keep state label "USER_RULE: Allow SSH from 139.xxx.yyy.zzz"
## Use the following rule to enable ssh for ALL users from any IP address #
pass in inet proto tcp to $ext_if port ssh
### [ OR ] ###
## pass in inet proto tcp to $ext_if port 22

# Allow Ping-Pong stuff. Be a good sysadmin
pass inet proto icmp icmp-type echoreq





# All access to our Nginx/Apache/Lighttpd Webserver ports
#pass proto tcp from any to $ext_if port $webports

# Allow essential outgoing traffic
#pass out quick on $ext_if proto tcp to any port $int_tcp_services
pass out quick on $ext_if proto udp to any port $int_udp_services

# Add custom rules below
pass in on ext_if inet proto tcp from any to $ext_if_ip port 3000 flags S/SA synproxy state (max-src-conn 5)
pass in on ext_if inet proto tcp from any to $ext_if_ip port 3066 flags S/SA synproxy state (max-src-conn 5)

#pass in proto tcp from any to any port 3000
#pass in proto tcp from any to any port 3066



# vim: set ft=pf

Thanks guys
 

trev

Aspiring Daemon

Reaction score: 257
Messages: 973

I don't use GeoIP, but as an alternative, I downloaded IP address lists for certain countries to block with ipfw.

# block all [country] IPs from table(2)
ipfw -q add deny ip from 'table(2)' to any
etc

Script executed by rc scripts at boot:

Code:
#!/bin/sh
/usr/bin/logger "Loading firewall with table 2 <country> IPs"

for ip in <list of ips eg 0.0.0.0/16>
do 
        /sbin/ipfw -q table 2 add ${ip} 
done 

/usr/bin/logger "Loaded firewall with table 2 IPs"
 
OP
Killua

Killua

New Member


Messages: 9

I just need to block states by name like I do with cloudflare to block them or create a white list of states that can access the server

 
OP
Killua

Killua

New Member


Messages: 9

1576097081244.png

i have this problem...

i find this https://www.ipdeny.com/ipblocks/ but i dont know how can i use it with pf.conf

i need a thing like this https://eggplant.pro/blog/blocking-tcpip-traffic-by-country-with-pf/ but with .zone files

like
Block from
file "/etc/pf_tables/output/cidr_v4_ru.txt" \
file "/etc/pf_tables/output/cidr_v6_ru.txt" \
file "/etc/pf_tables/output/cidr_v4_cn.txt" \
file "/etc/pf_tables/output/cidr_v6_cn.txt" \

to block all the IPs contained in these files, both ip v4 and ip v6

the text contained in the .zone files would be similar to this

23.132.144.0/24
69.50.64.0/20
69.57.224.0/19
76.76.160.0/19
162.210.156.0/22
162.222.84.0/22
162.252.188.0/22
192.64.120.0/22
199.16.56.0/22
199.48.204.0/22
199.189.112.0/22
204.16.112.0/22
205.217.224.0/19
206.83.13.0/24
206.214.0.0/19
208.83.80.0/21
209.59.64.0/18
216.48.96.0/22
 
OP
Killua

Killua

New Member


Messages: 9

nothing, i do with success but from russian IP i can see the 443 ports etc, so i think it's not blocked, thanks anyway, very gentle
 

Trihexagonal

Daemon

Reaction score: 1,642
Messages: 2,209

i find this https://www.ipdeny.com/ipblocks/ but i dont know how can i use it with pf.conf

i need a thing like this https://eggplant.pro/blog/blocking-tcpip-traffic-by-country-with-pf/ but with .zone files

rigoletto@ explains how to pull in .zone files for Country Block to use with pf:

 
OP
Killua

Killua

New Member


Messages: 9

nothing, I haven't solved it yet, I've tried everything but nothing
 
Top