PF GeoIP whitelist or blacklist of states

Hi Guys, i don't find nothing on the net about GeoIP for PF, I searched a lot but nothing, I need to block states or create a white list of states that can access the server so I can make things easier for myself, could anyone help me?

place here at the bottom of my pf configuration that is pf.conf

I willingly accept advice on my configuration, I hope you can help me with the geoip

Code:
# Source and tutorial -  https://www.cyberciti.biz/faq/how-to-set-up-a-firewall-with-pf-on-freebsd-to-protect-a-web-server/
# /usr/local/etc/pf.conf
#
## Set your public interface ##
ext_if="vtnet0"



## Set your server public IP address ##
ext_if_ip="myIP i just removed it"

## Set and drop these IP ranges on public interface ##
martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
0.0.0.0/8, 240.0.0.0/4 }"

## Set http(80)/https (443) port here ##
webports = "{https}"

## enable these services ##
int_tcp_services = "{domain, https, ssh}"
int_udp_services = "{domain}"




## Skip loop back interface - Skip all PF processing on interface ##
set skip on lo

## Sets the interface for which PF should gather statistics such as bytes in/out and packets passed/blocked ##
set loginterface $ext_if

### Set default policy ##
#block return in log all
#block out all


set block-policy drop
set debug urgent
set limit { frags 10000, states 30000 }
set loginterface $ext_if
set optimization normal
set ruleset-optimization none
set skip on lo
set state-policy if-bound

# Deal with attacks based on incorrect handling of packet fragments
scrub in all

# Drop all Non-Routable Addresses
block drop in quick on $ext_if from $martians to any
block drop out quick on $ext_if from any to $martians

## Blocking spoofed packets
antispoof quick for $ext_if

# Open SSH port which is listening on port 22 from VPN 139.xx.yy.zz Ip only
# I do not allow or accept ssh traffic from ALL for security reasons
#pass in quick on $ext_if inet proto tcp from 139.xxx.yyy.zzz to $ext_if_ip port = ssh flags S/SA keep state label "USER_RULE: Allow SSH from 139.xxx.yyy.zzz"
## Use the following rule to enable ssh for ALL users from any IP address #
pass in inet proto tcp to $ext_if port ssh
### [ OR ] ###
## pass in inet proto tcp to $ext_if port 22

# Allow Ping-Pong stuff. Be a good sysadmin
pass inet proto icmp icmp-type echoreq





# All access to our Nginx/Apache/Lighttpd Webserver ports
#pass proto tcp from any to $ext_if port $webports

# Allow essential outgoing traffic
#pass out quick on $ext_if proto tcp to any port $int_tcp_services
pass out quick on $ext_if proto udp to any port $int_udp_services

# Add custom rules below
pass in on ext_if inet proto tcp from any to $ext_if_ip port 3000 flags S/SA synproxy state (max-src-conn 5)
pass in on ext_if inet proto tcp from any to $ext_if_ip port 3066 flags S/SA synproxy state (max-src-conn 5)

#pass in proto tcp from any to any port 3000
#pass in proto tcp from any to any port 3066



# vim: set ft=pf

Thanks guys
 
I don't use GeoIP, but as an alternative, I downloaded IP address lists for certain countries to block with ipfw.

# block all [country] IPs from table(2)
ipfw -q add deny ip from 'table(2)' to any
etc

Script executed by rc scripts at boot:

Code:
#!/bin/sh
/usr/bin/logger "Loading firewall with table 2 <country> IPs"

for ip in <list of ips eg 0.0.0.0/16>
do 
        /sbin/ipfw -q table 2 add ${ip} 
done 

/usr/bin/logger "Loaded firewall with table 2 IPs"
 
Do you really need the granularity of states or would blocking/accepting of IP's by country codes sufficient for your application? In the latter case you might want to have a look at sysutils/ipdbtools. The man file ipdbtools(1) explains how to use it. I use it for generation of tables for ipfw(8). I don't know much about PF. I was told that it can utilize tables as well, however, you would need to find this out yourself.
 
I just need to block states by name like I do with cloudflare to block them or create a white list of states that can access the server

 
state != country

Examples:
  • Country = USA; States = Florida, California, Nevada, Alaska, ...; all country code = US
  • Country = Brazil; States = Amazonas, Mato Grosso, Paraná, São Paulo, ... ; all country code = BR
  • Country = Germany; States = Hessen, Bayern, Niedersachsen, Thüringen, ...; all country code = DE
  • ...
So what do you need? Distinguish by countries or by states? In case of countries, have a look at sysutils/ipdbtools.
 
1576097081244.png

i have this problem...

i find this https://www.ipdeny.com/ipblocks/ but i dont know how can i use it with pf.conf

i need a thing like this https://eggplant.pro/blog/blocking-tcpip-traffic-by-country-with-pf/ but with .zone files

like
Block from
file "/etc/pf_tables/output/cidr_v4_ru.txt" \
file "/etc/pf_tables/output/cidr_v6_ru.txt" \
file "/etc/pf_tables/output/cidr_v4_cn.txt" \
file "/etc/pf_tables/output/cidr_v6_cn.txt" \

to block all the IPs contained in these files, both ip v4 and ip v6

the text contained in the .zone files would be similar to this

23.132.144.0/24
69.50.64.0/20
69.57.224.0/19
76.76.160.0/19
162.210.156.0/22
162.222.84.0/22
162.252.188.0/22
192.64.120.0/22
199.16.56.0/22
199.48.204.0/22
199.189.112.0/22
204.16.112.0/22
205.217.224.0/19
206.83.13.0/24
206.214.0.0/19
208.83.80.0/21
209.59.64.0/18
216.48.96.0/22
 
sysutils/ipdbtools got no vulnerabilities. Your ports tree is outdated for more than a year.

Do:
# portsnap fetch update
# cd /usr/ports/sysutils/ipdbtools; make distclean
# make install clean
# ipdb-update.sh
# ipup -4 -pt ru > cidr_v4_ru.txt
# ipup -6 -pt ru > cidr_v6_ru.txt
# ipup -4 -pt cn > cidr_v4_cn.txt
# ipup -6 -pt cn > cidr_v6_cn.txt
 
nothing, i do with success but from russian IP i can see the 443 ports etc, so i think it's not blocked, thanks anyway, very gentle
 
i find this https://www.ipdeny.com/ipblocks/ but i dont know how can i use it with pf.conf

i need a thing like this https://eggplant.pro/blog/blocking-tcpip-traffic-by-country-with-pf/ but with .zone files

rigoletto@ explains how to pull in .zone files for Country Block to use with pf:

 
Thanks, this was useful - I did a quick check of an IP in an IP block list I generated and I was unable to ping it using a simple setup below:
Code:
table <country_block>
block out quick on wan to <country_block>

pfctl -t country_block -T replace -f /tmp/geoblock

I need to refine this some to my liking, but it works and that is good to know. I want to invert my match such that if the traffic is going to something other than what is permitted, then it will be blocked. My whitelist would be much smaller than a blacklist I think.
 
Back
Top