This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Foreign Country Block includes USA IP by mistake

Any way that I can manually edit the country block IP list?
How do I see this list?

"Craigslist.org" is on the foreign country block list (Non USA)

It is incorrectly added  208.82.238.72 in one of the countries.

13:54:01   Reply from 208.82.238.72 about A-record for ns2p.craigslist.org:
13:54:01   -> Answer: A-record for ns2p.craigslist.org = 208.82.236.175
13:54:01   -> Authority: NS-record for craigslist.org = ns1p.craigslist.org
13:54:01   -> Authority: NS-record for craigslist.org = ns1f.craigslist.org
13:54:01   -> Authority: NS-record for craigslist.org = ns2p.craigslist.org
13:54:01   -> Authority: NS-record for craigslist.org = ns2f.craigslist.org
13:54:01   -> Additional: A-record for ns1f.craigslist.org = 208.82.238.71
13:54:01   -> Additional: A-record for ns1p.craigslist.org = 208.82.236.174
13:54:01   -> Additional: A-record for ns2f.craigslist.org = 208.82.238.72

This thread was automatically locked due to age.

0 BarryG over 14 years ago

Hi, can you post the packetfilter log showing the block?

Barry
Cancel
Vote Up 0 Vote Down

Cancel
0 MikeinNYC over 14 years ago in reply to BarryG

When Country block is on (all Blocked except USA)
I get the following below: 199.X.X.X
when off I get 208.82.x.x the correct IP range?

Flushed DNS to fix this. Now resolves correctly. Note I use "two internal DNS" servers one Astaro which when country block is on happens to blocks another dns resolver. That took some time but i just figured it out.

Basically, I needed a solution that would filter out all financial ADS. (Hate em all). Rather than manually create them one by one and impliment them into the packet filter (Hint cut and paste next feature [:)]) I use another DNS and load up my ad blocks. see below "Blocked Ads URLS" and my "Regular Expression Block"

0:37:25   Started plug-in "HTTP Redirector1"
20:37:25   Started plug-in "Blocked Ads URLS"
20:37:25   Sending request to 192.228.79.201 (b.root-servers.net) for A-record for edns0.test (EDNS0 probe)
20:37:25   Started plug-in "Regular Expression Block"
20:37:25   Reply from 192.228.79.201 about A-record for edns0.test:
20:37:25   -> Header: Non-Existent Domain

19:39:34   Sending request to 199.19.57.1 (d0.org.afilias-nst.org) for A-record for ns2p.craigslist.org
19:39:34   Sending request to 199.249.112.1 (a2.org.afilias-nst.info) for A-record for ns2p.craigslist.org
19:39:35   Sending request to 199.19.54.1 (b0.org.afilias-nst.org) for A-record for ns2p.craigslist.org
19:39:35   Sending request to 199.19.53.1 (c0.org.afilias-nst.info) for A-record for ns2p.craigslist.org
19:39:36   Sending request to 199.249.120.1 (b2.org.afilias-nst.org) for A-record for ns2p.craigslist.org
19:39:36   Sending request to 199.19.56.1 (a0.org.afilias-nst.info) for A-record for ns2p.craigslist.org
19:39:37   Sending request to 199.19.53.1 (c0.org.afilias-nst.info) for A-record for ns2p.craigslist.org
19:39:37   Sending request to 199.249.112.1 (a2.org.afilias-nst.info) for A-record for ns2p.craigslist.org
19:39:38   Sending request to 199.19.57.1 (d0.org.afilias-nst.org) for A-record for ns2p.craigslist.org
19:39:38   Sending request to 199.19.54.1 (b0.org.afilias-nst.org) for A-record for ns2p.craigslist.org
19:39:39   Sending request to 199.19.56.1 (a0.org.afilias-nst.info) for A-record for ns2p.craigslist.org
19:39:39   Sending request to 199.249.120.1 (b2.org.afilias-nst.org) for A-record for ns2p.craigslist.org
19:39:40   Sending request to 199.249.112.1 (a2.org.afilias-nst.info) for A-record for ns2p.craigslist.org
19:39:40   Sending request to 199.249.120.1 (b2.org.afilias-nst.org) for A-record for ns2p.craigslist.org
19:39:41   Sending request to 199.19.57.1 (d0.org.afilias-nst.org) for A-record for ns2p.craigslist.org
19:39:41   Sending request to 199.19.56.1 (a0.org.afilias-nst.info) for A-record for ns2p.craigslist.org

Address lookup
canonical name d0.org.afilias-nst.org.
aliases
addresses 2001:500:f::1
199.19.57.1

Domain Whois record
Queried whois.publicinterestregistry.net with "afilias-nst.org"...

Domain ID[[[[[[[:D]]]]]]]125269055-LROR
Domain Name:AFILIAS-NST.ORG
Created On:30-Jun-2006 15:36:58 UTC
Last Updated On:01-Apr-2009 00:29:59 UTC
Expiration Date:30-Jun-2012 15:36:58 UTC
Sponsoring Registrar:MarkMonitor Inc. (R37-LROR)
Status:CLIENT DELETE PROHIBITED
Status:CLIENT TRANSFER PROHIBITED
Status:CLIENT UPDATE PROHIBITED
Registrant ID:mmr-47387
Registrant Name[[[[[[[:D]]]]]]]omain Administrator
Registrant Organization:Afilias Limited
Registrant Street1:3013 Lake Drive
Registrant Street2[:$]ffice 107  CityWest
Registrant Street3:
Registrant City[[[[[[[:D]]]]]]]ublin - ????????
Registrant State/Province:
Registrant Postal Code:24
Registrant Country:IE
Registrant Phone:+1.2157065700
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email[[[[[:D]]]]]omainadmin@afilias.info
Admin ID:mmr-47387
Admin Name[[[[[[[:D]]]]]]]omain Administrator
Admin Organization:Afilias Limited
Admin Street1:3013 Lake Drive
Admin Street2[:$]ffice 107  CityWest
Admin Street3:
Admin City[[[[[[[:D]]]]]]]ublin
Admin State/Province:
Admin Postal Code:24
Admin Country:IE
Admin Phone:+1.2157065700
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Admin Email[[[[[:D]]]]]omainadmin@afilias.info
Tech ID:mmr-47387
Tech Name[[[[[[[:D]]]]]]]omain Administrator
Tech Organization:Afilias Limited
Tech Street1:3013 Lake Drive
Tech Street2[:$]ffice 107  CityWest
Tech Street3:
Tech City[[[[[[[:D]]]]]]]ublin
Tech State/Province:
Tech Postal Code:24
Tech Country:IE
Tech Phone:+1.2157065700
Tech Phone Ext.:
Tech FAX:
Tech FAX Ext.:
Tech Email[[[[[:D]]]]]omainadmin@afilias.info
Name Server:NS1.AMS1.AFILIAS-NST.INFO
Name Server:NS1.MIA1.AFILIAS-NST.INFO
Name Server:NS1.SEA1.AFILIAS-NST.INFO
Name Server:NS1.YYZ1.AFILIAS-NST.INFO
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
DNSSEC:Unsigned

Network Whois record
Queried whois.arin.net with "n 199.19.57.1"...

NetRange:       199.19.48.0 - 199.19.57.255
CIDR:           199.19.56.0/23, 199.19.48.0/21
OriginAS:
NetName:        AFILIAS-NET1
NetHandle:      NET-199-19-48-0-1
Parent:         NET-199-0-0-0-0
NetType:        Direct Assignment
RegDate:        2006-10-19
Updated:        2010-07-27
Ref:            http://whois.arin.net/rest/net/NET-199-19-48-0-1

OrgName:        Afilias Canada, Corp.
OrgId:          ACC-308
Address:        4141 Yonge Street
Address:        Suite 204
City:           Toronto
StateProv:      ON
PostalCode:     M2P-2A8
Country:        CA
RegDate:        2006-04-21
Updated:        2010-07-26
Ref:            http://whois.arin.net/rest/org/ACC-308

OrgTechHandle: RSE78-ARIN
OrgTechName:   Seastrom, Robert
OrgTechPhone:  +1-703-622-0001
OrgTechEmail:  rseastrom@afilias.info
OrgTechRef:    http://whois.arin.net/rest/poc/RSE78-ARIN

OrgTechHandle: CLEME4-ARIN
OrgTechName:   Clements, Carl
OrgTechPhone:  +1-416-646-1541
OrgTechEmail:  cclements@ca.afilias.info
OrgTechRef:    http://whois.arin.net/rest/poc/CLEME4-ARIN

OrgTechHandle: MSA258-ARIN
OrgTechName:   Abbas, Majdi S.
OrgTechPhone:  +1-602-412-4940
OrgTechEmail:  mabbas@afilias.info
OrgTechRef:    http://whois.arin.net/rest/poc/MSA258-ARIN

OrgNOCHandle: NOC11438-ARIN
OrgNOCName:   Network Operations Centre
OrgNOCPhone:  +1-416-646-1541
OrgNOCEmail:  noc@afilias-nst.info
OrgNOCRef:    http://whois.arin.net/rest/poc/NOC11438-ARIN

OrgTechHandle: MSP93-ARIN
OrgTechName:   Pounsett, Matthew Stewart
OrgTechPhone:  +1-416-673-8057
OrgTechEmail:  mpounsett@ca.afilias.info
OrgTechRef:    http://whois.arin.net/rest/poc/MSP93-ARIN

When country block is off: Correct response below.

20:03:43 DNS request UDP 192.168.1.10 : 65273
→ 208.82.236.174 : 53
len=76 ttl=128 tos=0x00

20:03:43 DNS request UDP 192.168.1.10 : 57770
→ 208.82.236.175 : 53
len=76 ttl=128 tos=0x00

20:03:43 DNS request UDP 192.168.1.10 : 14918
→ 208.82.238.72 : 53
len=71 ttl=128 tos=0x00

20:03:43 DNS request UDP 192.168.1.10 : 52669
→ 208.82.236.174 : 53
len=75 ttl=128 tos=0x00

20:03:44 DNS request UDP 192.168.1.10 : 51505
→ 208.82.238.71 : 53
len=75 ttl=128 tos=0x00

20:03:44 DNS request UDP 192.168.1.10 : 26330
→ 208.82.238.72 : 53
len=84 ttl=128 tos=0x00

etRange:       208.82.236.0 - 208.82.239.255
CIDR:           208.82.236.0/22
OriginAS:       AS22414
NetName:        CRAIGS-NET-1
NetHandle:      NET-208-82-236-0-1
Parent:         NET-208-0-0-0-0
NetType:        Direct Assignment
RegDate:        2007-09-26
Updated:        2009-05-19
Ref:            http://whois.arin.net/rest/net/NET-208-82-236-0-1

OrgName:        Craigslist, Inc.
OrgId:          CRAIGS-5
Address:        1381 9th Ave
City:           San Francisco
StateProv:      CA
PostalCode:     94122
Country:        US
RegDate:        2001-11-20
Updated:        2009-05-18
Ref:            http://whois.arin.net/rest/org/CRAIGS-5

I just flushed the DNS and it now resolves correctly but only if I allow the above  Ip.

In conclusion its not Astaro problem but I need to allow certain ips (whitelist from country block anyway) Like just allow 3 ips from one country but deny the rest.

Mike
Cancel
Vote Up 0 Vote Down

Cancel
0 BarryG over 14 years ago in reply to MikeinNYC

In conclusion its not Astaro problem but I need to allow certain ips (whitelist from country block anyway) Like just allow 3 ips from one country but deny the rest.

Glad you figured it out.

Please see
Country Blocking with Service restriction

and paste your comment there, and vote for it.

Barry
Cancel
Vote Up 0 Vote Down

Cancel
0 MikeinNYC over 14 years ago

I Open up Canada on Country Block. Oh Canada no problem. ... but what if it were CHINA? Yikes .. I'd never open that up.
I'll vote to have ips whitelisted AND a cut and paste packet filter so I can block my ads to hell.
see example:
M *.101com.com
M *.101order.com
M *.103bees.com
M *.1100i.com
M *.123banners.com
M *.123found.com
M *.123pagerank.com
M *.180hits.de
M *.180searchassistant.com
M *.180solutions.com
M *.1x1rank.com
M *.207.net
M *.247media.com
M *.24log.com
M *.24log.de
M *.24pm-affiliation.com
M *.2log.com
M *.2mdn.net
M *.2o7.net
M *.360yield.com
M *.4affiliate.net
M *.4d5.net
M *.50websads.com
M *.518ad.com
M *.51yes.com
M *.600z.com
R /SIG=15$
R /SIG=$
R /atoms/$
R rad(*]]);$
R andadvertisement($ content.yieldmanager.edgesuite.net/atoms/$
R global.ard.yahoo.com/SIG=$
R ad.yieldmanager.net$
R /js/adframe.js$
R &ad.id=$

I have about 800 of financial websites ads and growing daily.
Cancel
Vote Up 0 Vote Down

Cancel
0 mdp_01 over 14 years ago

Sorry if this is the wrong thread to comment this on, but I searched and could not find much about the Country Block packet filter. I was wondering if there is a way to block countries from accessing my WAN but Allow Access from my LAN to the Countries? Also have the ability to block a country but allow a certain CIDR to access my WAN from that country. I have been waiting to see if this would come availible in Astaro for a while now and see no way to do this yet. I know it can be done because pfsense has a mod that allows this ability.

If you ask, well then why don't you just use pfsense, "my answer is I doo"!, but for more internal routing task. I need UTM (Unified Threat Management), which is what Astaro is and what pfsense is not. That is not a knock at either of the systems, they are both good at what they do. I also use Untangle in a tranparents bridge mode behind my Astaro box to add an extra layer of security to my paranoia. Anyways, sorry if this is the wrong place to ask this and on another note I like the Astaro platform very much. It is a well made product as some of the others. I like to be grainular with security options and if someone could pass some info my way on this question above, I would be very appreciative of that.

Thanks,

MDP
Cancel
Vote Up 0 Vote Down

Cancel
0 BrucekConvergent over 14 years ago in reply to mdp_01

mdp, currently the country block feature is universal, no exceptions can be configured, nor can one differentiate between outbound and inbound traffic, currently. Please go to feature.astaro.com -- I believe this feature request already exists, and I'd vote for it.
Cancel
Vote Up 0 Vote Down

Cancel