Return to Level1Techs.com

(Solved) pfBlocker-NG (pfsense) to block IP ranges/countries?

pfsense

#1

Has anyone here setup pfBlocker-NG to block IP ranges/countries? I just tried to do that following this video tutorial (blocking all inbound and outbound traffic), however, I’m still able to access websites like life.ru, pikabu.ru, drom.ru, and quite a few others on this list. pfBlocker-NG appears to be partially working though, because, for example, I can’t access yandex.ru through pfSense, but I can on my mobile phone (not connected to wifi).

What’s the reason that certain websites are not blocked? Is it because of CDN (Content Delivery Networks), hosted in different coutries (outside of my specified country block list), which then forward data from, for example, life.ru, to me?

I’m really hoping to block quite a few countries which I rarely/never expect to need to send/receive traffic to/from, such as Russia, China, Hong Kong (has it’s own list in pfBlocker-NG), India, Vietnam, Ukraine, and a few more, as a way to minimize the attack surface of my network.

Thanks!


#2

Geoblocking is far from 100% reliable for the reasons you suggested but also because the internet doesn’t really work that way. Plus the free lists that you’re using aren’t as good as the paid ones.


#3

So I guess subnets aren’t a good way of determining which country an IP address belongs to (as do phone number country codes)?

How I was thinking it worked is that, for example, 74.23.* . *, would be associated with a certain country, and that all subnets under it would be sold off to only people of that country, similarily as to how most/all phone numbers starting with the country code of +61 for Australia, or maybe similary to area codes (ex. 04 for Australian mobile phones).

I guess for IP addresses, it’s very random, and has no set pattern, as phone numbers do?


#4

The internet is a logical network, there’s no relationship between an IP address and its physical location, and countries have no say over how IP addresses are assigned. The best you can do it use blocks of IPs owned by ISPs in a country but that won’t be that useful for blocking websites because a website can be hosted anywhere in the world. Geoblocking is really only useful for preventing people in certain countries from connecting to you but even then you’re relying on a list of IP blocks owned by ISPs in that country, which someone has to compile and maintain, and even then its not 100% accurate.

For blocking outbound connections to websites you’re better off using dns blocking to block the domain name rather than the IP. You can do that using DNSBL in pfblocker.