GeoIP selection of countries

[gertfriend]

Maybe it will be possible to change the GeoIP country selection from Dropdown to multiple-selection list box sorted by continent and then by country which would be more comfortable.

[mimugmail]

This really need some attention.

The sort order in Aliases is by Country Codes. Normally this should make sense, but the CC of Germany is DE. Now this is how it looks like:

CC of Algeria id DZ, that's why it's there.

First of all there should be a new sort order by country_name.

Also the CSV from the script /usr/local/opnsense/scripts/filter/download_geoip.py includes continent_code and continent_name

I havent digged to much in this script yet, but there could be an optimized sort order for continent_name and inside this by country_name

What do you think @AdSchellevis and @fichtner ?

[AdSchellevis]

@mimugmail I agree about the sorting, but not the continent data. we use /usr/local/opnsense/contrib/tzdata/iso3166.tab for country codes, which is always available on the machine and doesn't require a download first. Unfortunately there is no continent in there.

I will prepare a fix for the sorting, and add some JS magic to replace the select for a searchable one, but that's as far as I will take this.

[fichtner]

I agree that it's difficult to conjure a nice UX here for selecting whole Continents, managing exceptions within, etc...

The zone.tab file has all the info. I'll try to look at implementing it after Ad's changes.

https://github.com/Distrotech/tzdata/blob/master/zone.tab

[mimugmail]

Yep, really tricky with a dropdown list. Sophos does this besides the rules, just to give you an idea:

[AdSchellevis]

with the continent info available, optgroups (https://silviomoreto.github.io/bootstrap-select/examples/#select-boxes-with-optgroups) could be used. but selecting more items in the same row also requires changes to the filter.

[fichtner]

Option groups with individual select/deselect all might work if they can be combined, so people can select whole regions and also make exceptions....

…

On 15. Oct 2017, at 13:44, Ad Schellevis ***@***.***> wrote: with the continent info available, optgroups (https://silviomoreto.github.io/bootstrap-select/examples/#select-boxes-with-optgroups) could be used. but selecting more items in the same row also requires changes to the filter. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

[fichtner]

I think the Sophos example is good, the boxes should be multi-select and we have a fixed data so adding more fields doesn't help...

I would:

1. Add javascript section headers checkbox to toggle whole region.
2. Add checkboxes in each region for each country.

That way "search" can be done via browser.

Ok?

[mimugmail]

And probably a checkbox of the country rules should be before or after the user ruleset

[fichtner]

I don't understand that last part?

[fichtner]

Like this, only pretty...

[AdSchellevis]

I would advise to keep it simple, within the features selectpicker kan handle by default..... The amount of work needed could grow rapidly.
This

can easily be combined with

Only challenge is to map the codes back to something comma separated and push it back to the input.

[mimugmail]

With Sophos this is an own tab besides fw rules. Country rules are processed before normal rules. So if you plan to so it the same way it would be cool to decide

[fichtner]

@AdSchellevis but still the dataset is fixed and a bit too big to handle from a single select picker. if we unfold to checkboxes and create CSV from there that's easy. we also don't need the multi-row approach... it's like apples and oranges. If we can render by region, we don't have to change it again. can't get more UX than what Sophos already has in terms of edit speed and field of view.

@mimugmail aliases can be used as destination or source in filter rules. they are not blocked by default and should not, so we don't need any "ordering".

[mimugmail]

This would be winner against Sophos, always good to beat the commercials 👍

[AdSchellevis]

@fichtner you're certainly right about the usability aspect, fitting it in just takes more time then improving what we have now.

[fichtner]

Works for me, saves ok, added new validation... please test

[mimugmail]

987afe8 is enough or also the first one?

[fichtner]

# opnsense-code core
# cd /usr/core
# make upgrade

if upgrade refuses:

# opnsense-update -t opnsense-devel

[mimugmail]

I love it :)
Is this so memory hungry? I created a "europe" alias with toggle all and get:

Oct 16 10:46:10 OPNsense opnsense: /usr/local/etc/rc.filter_configure: New alert found: There were error(s) loading the rules: /tmp/rules.debug:21: cannot define table europe: Cannot allocate memory - The line in question reads [21]: table <europe> persist file "/var/db/aliastables/europe.txt"

[fichtner]

how big is the file? I would say yes... /var/db/aliastables/europe.txt

[AdSchellevis]

@mimugmail how is "Firewall Maximum Table Entries" set in firewall -> settings -> advanced?

[mimugmail]

Since I cloned a fresh installation it was default. Bumped to 2000000 and now it's good.
I like this new approach, thank you guys 👍

[fichtner]

Maybe it's time we increase the default of that value somewhere?

[AdSchellevis]

could be a good idea, but chances are people still need to extend when having larger rulesets (which isn't an issue when there's enough memory available)

[L1ghtn1ng]

Can't we query how much ram the system has and set appropriately to what the system would be able to handle with that amount of ram? Just an idea I had

…

________________________________ From: Ad Schellevis <notifications@github.com> Sent: Monday, October 16, 2017 1:12:19 PM To: opnsense/core Cc: Subscribed Subject: Re: [opnsense/core] GeoIP selection of countries (#1860) could be a good idea, but chances are people still need to extend when having larger rulesets (which isn't an issue when there's enough memory available) — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub<#1860 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/ADddQlqSDqXuG9d8JTK-BtoOPV-oPGFwks5ss0gjgaJpZM4PsCWL>.

[AdSchellevis]

no

[gertfriend]

Great work and also very fast implementation. With this view GeoIP would be very much more usable. Thank you very much.

[mimugmail]

Perhaps some kind of div alert when changing alias type to Geo?

[fichtner]

I was thinking help text as well, or added to the docs... FAE ... frequently asked errors :D

[mimugmail]

Yep, but the latest experiences showed that most people do a trial and error before posting to gh, before looking at the docs :( Perhaps a blue colored div ..

[fichtner]

in 17.7.7 :)

[algato]

Hello,
I would like to ask for your help:

1. "Firewall Maximum Table Entries" how can i check how many entries my table allready has (does my table allready reached the limit)

2. which settings the WAN firewall rule should have to use the alias with the selected (blocked) countries.
   interface WAN
   Protocol any
   Source (prepared alias) blocked_countries
   Destination any

Is that correct, are that all parameters for that rule?

Should i check the checkboxes for:

• Disable hardware checksum offload
• Disable hardware TCP segmentation offload
• Disable hardware large receive offload

like described in the obsolete tutorial for Geo-IP blocking using intrusion detection

Kind regard
Alex

[warnerbryce]

@algato i have the same question as you, do you have news about this ?

[mimugmail]

Just reread the official docs, should all be clear