Maxmind License Key Pfsense

[Gene Cryder]

Givenrecent events, I've gotten a flood of calls from clients who want to start blocking egress traffic to specific countries, or block ingress traffic from specific countries (or both). This seems like something the more "aware" organizations have tried quite a while back, and in many cases have tried it and given it up as not so effective. But just this last week we've been seeing a flood of folks who are thinking about it as something they need to do NOW. In many cases, depending on your hardware and licensing it's as simple as a few tickboxes or lines in an ACL. Even freely available firewalls such as pfSense do a good job of this, using MaxMind (look at pfBlockerNG for pfSense)

However, if your hardware doesn't support using a feed or an API interface for a tool like MaxMind, what can you do? The tricky part in geo-blocking is that it's an ever-shifting landscape, your list of subnets that are "assigned" to any given country will change daily. Also, saying "block Russia" is not terribly effective. If you want to block any given country, you should consider that any target country will have a list of allies that might host attacks or "phone home" servers. More importantly, if an attacker is any good, they simply won't source any of their attacks from their own personal or corporate addresses, or any IP's that are in their country. Really you can host most attacks for pennies on most cloud platforms.

All that being said, we still need to deal with these requests from Sr Managment to "block Russia". Understand going in that you likely won't be able to convince them it's a bad idea. So to save time, let's script this so you can get it off your list quick! We'll do this in Windows / PowerShell since that's a bit more accessible than Linux and/or Python - - sorry, I didn't mean to bring religion into this :-) , but you can run the PowerShell script in your Linux desktop too if you want.

With everything discussed, let's say you're going to proceed with blocking country X. MaxMind still has free lists of subnets-per-country that you can download as CSVs (their GeoLite2 list). The files are dated so you can easily tell how fresh your data is - in this example I'm working with GeoLite2-Country-CSV_20220215.csv.

Taking a quick look, those are pretty hefty ACLs. You can certainly apply this on most reasonable gear, but it's going to make your config files a bit unweildy, and while it will run fine, it'll certainly affect your memory and cpu. Especially given the caveats we discussed earlier - this isn't going to be terribly effective!

Where to go from here? You can cut/paste the ACLs as-is into your ASA, then apply it to the appropriate inbound/outbound interface(s). To streamline it, you could easily script the download using MaxMind's API (dev.maxmind.com), and while you're at it you could update to the more accurate GeoIP2 list.

At the other end, you can apply the ACL using common automation tools like (among other tools) Solarwinds' CATTOOLs, in PowerShell using Posh-SSH or in Python using netmiko or paramiko. EXPECT is another tried-and-true option. Frameworks like Ansible, SALT, Puppet, Chef or Terraform can allow you to expand your automation to more complex functions - these will also tend to protect your firewall credentials better than a plain text script.

Starting December 30, 2019, downloads will no longer be served from our public GeoLite2 page, from geolite.maxmind.com/download/geoip/database/*, or from any other public URL. See the section below for steps on how to migrate to the new download mechanism.

I have an old version of the GeoIP database and a few files more copied to my new system and now GeoIP Block seems to work.

I do not know if I copied all the right files and keep this router for a while as a test system until there is a solution of the developers,

Ntopng is a great tool for diagnosing and monitoring your network. It is available on pfsense firewall through the builtin package manager. Unfortunately, the pfsense port of ntopng package which is installed through the gui package manger has been broken for a long time . In the latest pfsense 2.5 release, they updated ntopng to 4.2 which is great, but it contains a lot of bugs, sometimes ntopng keeps restarting on itself, other times it seems very slow, and I personally faced an issue that whenever an ntopng service restart occurs, all the package's config gets wiped out, so any modifications you make, like interface rename or adding alerts endpoints and recipients gets lost on next service restart. Also in the previous version of pfsense, which had ntopng 3.8, geolocation data was not being reported correctly. This all makes it useless to put in production environments.

Maybe the most optimal way to setup ntopng is to separate it from the firewall and use a dedicated box to record and analyze network traffic by using a port mirror. However, sometimes you are in a circumstance where it is not feasible to have a separate machine, or maybe the firewall box that you are using is powerful enough to add an active network monitoring function to it.

First of all, you need to decide whether you are comfortable using the official but unstable ntopng development build from the original author's package repository (packages.ntop.org), or otherwise the official stable FreeBSD port maintained by the FreeBSD developer madpilot (pkg.freebsd.org), however, the one in FreeBSD repo sometimes gets too behind in development. Unfortunately the ntop.org does not provide a stable build, only a development snapshot (as the time of this writing).

If you decide to choose the stable build from (pkg.freebsd.org), then by default, pfsense uses (pkg.freebsd.org) so you do not need to add any additional sources. All you need to do is install ntopng and redis. To do that, connect to your pfsense using ssh or use the console and open the shell prompt.

After installing ntopng and redis, you need to make them run automatically on boot. The way we do this by using a package called Shellcmd. It is available on pfsense package manager. Simply head over to system menu, then package manager and install Shellcmd. Once installed, go to services menu, then Shellcmd and add entries to start ntopng and redis on system boot.

Unfortunately, there is no pre-built geoipupdate package for FreeBSD, so you will have to download and update the databases manually, or you could lookup some scripts online that automate the process of downloading the databases from MaxMind for you. "/usr/local/share/ntopng/httpdocs/geoip" is where to put the downloaded database files.

Now comes the part where you modify the startup script for ntopng to put whatever argument option you need. Edit the file located on "/usr/local/etc/rc.d/ntopng" using any text editor and go to the line that starts with "command_args=" and add the arguments that you need. You can refer to the official ntop docs here: ( _options.html).

Ntopng is not designed to be used as an aggregator for network traffic data over long periods of time, instead, it is best used for live traffic monitoring. That is why if you want to keep network traffic for data retention, it is best to send flows to other databases that are more efficient for storing over longer periods.

Another thing to note is, if you want to enable https for the ntopng access portal, after adding the command option --https-port "[port_number]", ntopng tries to find an ssl certificate but it doesn't find any. The easiest way correct this is to find and rename the provided dummy certificate to .pem file format. The dummy cert is located on "/usr/local/share/ntopng/httpdocs/ssl/ntopng-cert.pem.dummy".

In this blog post I will show you how to setup pfBlockerNG python mode with pfsense. Nearly a year ago I made a blog post here explaining why I was moving away from pfBlockerNG to Pihole. The main reason was that pfBlockerNG could not show all the blocked DNS requests. This made is difficult to troubleshoot why some app or (iot) device was not working properly. Read my blog post here for all the details.

Before you start with configuring pfBlockerNG make sure you pfSense firewall runs fine and internet is working as expected for all the devices on your network. If this is the case then continue to make a backup of this running setup. Always a good idea of having a backup before making changes. To do this go to Backup -> Backup & Restore. Click on Download configuration as XML. Safe this file in a secure place.

Then go to System -> Package Manager -> Available Packages. Search for pfBlockerNG. This part is very important. You need to install pfBlockerNG-devel package. Click on the green Install button behind pfBlockerNG-devel to install the package. After installing the package it should be in the list of Installed Packages:

Before you start you should know that using the new python mode you to disable some setting in Unbound DNS Resolver (if you are using that in pfSense). Disable the following options in Unbound Resolver:

Next is Inbound Firewall Rules. These apply to any interface which is used to get internet traffic to you network. Here you select your WAN interface and if you have VPN client connections going to your VPN provider, select those here too. I use several VPN connections to VPN providers and those interface names end with _WAN. The screenshot below shows what I have selected here:

Next is Outbound Firewall Rules. These apply to any interface which you have on your local network. I have several local networks like a guest and a testlab network. I am running a OpenVPN server on pfSense and I treat that network also as a local network. Here are my settings:

To configure the DNSBL settings click on the DNSBL tab. There are a lot of options here and this can be overwhelming. These are the settings I have enabled or configured and I think this should give you a good starting point:

3a8082e126