Add GeoIP location to nameservers
mbox

Message ID 5686B34E.7010602@web.de
State New
Headers show

Message

IT Superhack Jan. 2, 2016, 4:11 a.m. UTC
Add the GeoIP location flag to the nameservers entry on
netexternal.cgi. The appropriate flag is shown between
ip address and dnssec status.

Signed-off-by: Timmothy Wilson <itsuperhack@web.de>
---

Comments

Matthias Fischer Jan. 2, 2016, 6:16 a.m. UTC | #1
Hi,

Tested.

Works.

Thanks! ;-)

One suggestion:

If you change line ~156 in 'netexternal.cgi' from:

...
<td>$nameserver</td>
...

to

...
<td align="center">$nameserver</td>
...

it looks even better... (see Attachment)

Jm2C!

Best,
Matthias


On 01.01.2016 18:11, IT Superhack wrote:
> Add the GeoIP location flag to the nameservers entry on
> netexternal.cgi. The appropriate flag is shown between
> ip address and dnssec status.
>
> Signed-off-by: Timmothy Wilson <itsuperhack@web.de>
> ---
> diff --git a/html/cgi-bin/netexternal.cgi b/html/cgi-bin/netexternal.cgi
> index 299612d..757785e 100644
> --- a/html/cgi-bin/netexternal.cgi
> +++ b/html/cgi-bin/netexternal.cgi
> @@ -19,6 +19,7 @@
>   #                                                                             #
>   ###############################################################################
>
> +use Geo::IP::PurePerl;
>   use strict;
>
>   # enable only the following on debugging purpose
> @@ -28,6 +29,7 @@ use strict;
>   require '/var/ipfire/general-functions.pl';
>   require "${General::swroot}/lang.pl";
>   require "${General::swroot}/header.pl";
> +require "${General::swroot}/geoip-functions.pl";
>   require "${General::swroot}/graphs.pl";
>
>   my %color = ();
> @@ -99,6 +101,9 @@ if ( $querry[0] ne~ ""){
>   						<strong>$Lang::tr{'nameserver'}</strong>
>   					</th>
>   					<th align="center">
> +						<strong>$Lang::tr{'location'}</strong>
> +					</th>
> +					<th align="center">
>   						<strong>$Lang::tr{'status'}</strong>
>   					</th>
>   				</tr>
> @@ -138,10 +143,20 @@ END
>   		}
>
>   		my $table_colour = ($id++ % 2) ? $color{'color22'} : $color{'color20'};
> +		
> +		# geoip lookup
> +		my $geoaddr = Geo::IP::PurePerl->new();
> +		my $ccode = $geoaddr->country_code_by_name($nameserver);
> +		my $fcode = lc($ccode);
> +		# Get flag icon for of the country.
> +		my $flag_icon = &GeoIP::get_flag_icon($ccode);
>
>   		print <<END;
>   			<tr bgcolor="$table_colour">
>   				<td>$nameserver</td>
> +				<td align="center">
> +					<a href='/cgi-bin/country.cgi#$fcode'><img src='$flag_icon' border='0' align='absmiddle' alt='$ccode' title='$ccode'></a>
> +				</td>
>   				<td bgcolor="$bgcolour" align="center">
>   					<font color="$colour"><strong>$message</strong></font>
>   				</td>
> diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
> index 2bca854..836d12f 100644
> --- a/langs/de/cgi-bin/de.pl
> +++ b/langs/de/cgi-bin/de.pl
> @@ -1429,6 +1429,7 @@
>   'local vpn hostname/ip' => 'Lokaler VPN Hostname/IP',
>   'localkey' => 'Localkey',
>   'localkeyfile' => 'Localkeyfile',
> +'location' => 'Standort',
>   'log' => 'Protokoll',
>   'log enabled' => 'Log aktiviert',
>   'log level' => 'Log Level',
> diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
> index 4c52392..51a6241 100644
> --- a/langs/en/cgi-bin/en.pl
> +++ b/langs/en/cgi-bin/en.pl
> @@ -1459,6 +1459,7 @@
>   'local vpn hostname/ip' => 'Local VPN Hostname/IP',
>   'localkey' => 'Localkey',
>   'localkeyfile' => 'Localkeyfile',
> +'location' => 'Location',
>   'log' => 'Log',
>   'log enabled' => 'Log Enabled',
>   'log level' => 'Log Level',
>
Michael Tremer Jan. 5, 2016, 3:59 a.m. UTC | #2
Just out of curiosity, why do you find this information so helpful?

-Michael

On Fri, 2016-01-01 at 20:16 +0100, Matthias Fischer wrote:
> Hi,
> 
> Tested.
> 
> Works.
> 
> Thanks! ;-)
> 
> One suggestion:
> 
> If you change line ~156 in 'netexternal.cgi' from:
> 
> ...
> <td>$nameserver</td>
> ...
> 
> to
> 
> ...
> <td align="center">$nameserver</td>
> ...
> 
> it looks even better... (see Attachment)
> 
> Jm2C!
> 
> Best,
> Matthias
> 
> 
> On 01.01.2016 18:11, IT Superhack wrote:
> > Add the GeoIP location flag to the nameservers entry on
> > netexternal.cgi. The appropriate flag is shown between
> > ip address and dnssec status.
> > 
> > Signed-off-by: Timmothy Wilson <itsuperhack@web.de>
> > ---
> > diff --git a/html/cgi-bin/netexternal.cgi b/html/cgi
> > -bin/netexternal.cgi
> > index 299612d..757785e 100644
> > --- a/html/cgi-bin/netexternal.cgi
> > +++ b/html/cgi-bin/netexternal.cgi
> > @@ -19,6 +19,7 @@
> >   #                                                                
> >              #
> >  
> > ###################################################################
> > ############
> > 
> > +use Geo::IP::PurePerl;
> >   use strict;
> > 
> >   # enable only the following on debugging purpose
> > @@ -28,6 +29,7 @@ use strict;
> >   require '/var/ipfire/general-functions.pl';
> >   require "${General::swroot}/lang.pl";
> >   require "${General::swroot}/header.pl";
> > +require "${General::swroot}/geoip-functions.pl";
> >   require "${General::swroot}/graphs.pl";
> > 
> >   my %color = ();
> > @@ -99,6 +101,9 @@ if ( $querry[0] ne~ ""){
> >   						<strong>$Lang::tr
> > {'nameserver'}</strong>
> >   					</th>
> >   					<th align="center">
> > +						<strong>$Lang::tr{
> > 'location'}</strong>
> > +					</th>
> > +					<th align="center">
> >   						<strong>$Lang::tr
> > {'status'}</strong>
> >   					</th>
> >   				</tr>
> > @@ -138,10 +143,20 @@ END
> >   		}
> > 
> >   		my $table_colour = ($id++ % 2) ?
> > $color{'color22'} : $color{'color20'};
> > +		
> > +		# geoip lookup
> > +		my $geoaddr = Geo::IP::PurePerl->new();
> > +		my $ccode = $geoaddr
> > ->country_code_by_name($nameserver);
> > +		my $fcode = lc($ccode);
> > +		# Get flag icon for of the country.
> > +		my $flag_icon = &GeoIP::get_flag_icon($ccode);
> > 
> >   		print <<END;
> >   			<tr bgcolor="$table_colour">
> >   				<td>$nameserver</td>
> > +				<td align="center">
> > +					<a href='/cgi
> > -bin/country.cgi#$fcode'><img src='$flag_icon' border='0'
> > align='absmiddle' alt='$ccode' title='$ccode'></a>
> > +				</td>
> >   				<td bgcolor="$bgcolour"
> > align="center">
> >   					<font
> > color="$colour"><strong>$message</strong></font>
> >   				</td>
> > diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
> > index 2bca854..836d12f 100644
> > --- a/langs/de/cgi-bin/de.pl
> > +++ b/langs/de/cgi-bin/de.pl
> > @@ -1429,6 +1429,7 @@
> >   'local vpn hostname/ip' => 'Lokaler VPN Hostname/IP',
> >   'localkey' => 'Localkey',
> >   'localkeyfile' => 'Localkeyfile',
> > +'location' => 'Standort',
> >   'log' => 'Protokoll',
> >   'log enabled' => 'Log aktiviert',
> >   'log level' => 'Log Level',
> > diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
> > index 4c52392..51a6241 100644
> > --- a/langs/en/cgi-bin/en.pl
> > +++ b/langs/en/cgi-bin/en.pl
> > @@ -1459,6 +1459,7 @@
> >   'local vpn hostname/ip' => 'Local VPN Hostname/IP',
> >   'localkey' => 'Localkey',
> >   'localkeyfile' => 'Localkeyfile',
> > +'location' => 'Location',
> >   'log' => 'Log',
> >   'log enabled' => 'Log Enabled',
> >   'log level' => 'Log Level',
> > 
>
Matthias Fischer Jan. 5, 2016, 4:16 a.m. UTC | #3
Hi,

For me: its not really important - just "nice to have"...

Best,
Matthias

On 04.01.2016 17:59, Michael Tremer wrote:
> Just out of curiosity, why do you find this information so helpful?
IT Superhack Jan. 11, 2016, 3:25 a.m. UTC | #4
Hello Michael, hello Matthias,

Michael Tremer:
> Just out of curiosity, why do you find this information so helpful?

As Matthias said already, is is more a "nice to have" than something
which is seriously needed.

I wrote this patch because a friend of mine in France discovered that
his ISP assigns DNS servers from Australia and Great Britain, which
was slowing down DNS resolving a lot.

Therefore I thougt it might be useful to see in which countries your
DNS servers are located, just in case you didn't set some by your own.

In general, adding geographic information to IP addresses is very
helpful in my point of view because anomalies can be detected much
better and more precise firewall rules are possible.

However, some thing might still be improved: For example, the ipinfo.cgi
file shows the IP address, the rDNS name, whois information, but not
the appropriate flag. So, if someone scrolls through the connection tracking
page, he/she/it sees the source and destination IPs of any active (and
recently closed) connection. At the moment, there is no way of telling
which country an IP belongs to - without using additional web services, of
course - since the flag is shown neither at the connection tracking page
nor at the ipinfo.cgi page. This isn't very helpful, is it?

That is basically the motivation behind the two patches I submitted
recently.

Best regards,
Timmothy Wilson
Michael Tremer Jan. 11, 2016, 9:15 a.m. UTC | #5
Hi,

On Sun, 2016-01-10 at 17:25 +0100, IT Superhack wrote:
> Hello Michael, hello Matthias,
> 
> Michael Tremer:
> > Just out of curiosity, why do you find this information so helpful?
> 
> As Matthias said already, is is more a "nice to have" than something
> which is seriously needed.

This is not too much of an argument. My argument against this is that
it brings down page load times because of a not too useful information.

> I wrote this patch because a friend of mine in France discovered that
> his ISP assigns DNS servers from Australia and Great Britain, which
> was slowing down DNS resolving a lot.

I get that and this is actually a pretty good one.

That only leaves resolvers like 8.8.8.8 which will show "US" but
actually are located at many places around the world. Let's hope that
people don't get the wrong thing from the flag - or actually start
changing their DNS servers to something else :)

> Therefore I thougt it might be useful to see in which countries your
> DNS servers are located, just in case you didn't set some by your
> own.

It is sometimes. Although geographic location doesn't mean that it is
close on the network.

A system in GB is probably not an issue. Australia actually is a bit
far away.

> In general, adding geographic information to IP addresses is very
> helpful in my point of view because anomalies can be detected much
> better and more precise firewall rules are possible.

I don't get why.

> However, some thing might still be improved: For example, the
> ipinfo.cgi
> file shows the IP address, the rDNS name, whois information, but not
> the appropriate flag. So, if someone scrolls through the connection
> tracking
> page, he/she/it sees the source and destination IPs of any active
> (and
> recently closed) connection. At the moment, there is no way of
> telling
> which country an IP belongs to - without using additional web
> services, of
> course - since the flag is shown neither at the connection tracking
> page
> nor at the ipinfo.cgi page. This isn't very helpful, is it?

The ipinfo.cgi page shows the whois information for an IP address. That
may contain the name and HQ location of a company this IP address
belongs to, but that does *not* mean that the host is actually located
in that country - and almost certainly not at that address.

The GeoIP database is a completely different thing.

Judging by the location of the host does make any sense if you care
about security.

> 
> That is basically the motivation behind the two patches I submitted
> recently.
> 
> Best regards,
> Timmothy Wilson
>
IT Superhack Jan. 11, 2016, 7:10 p.m. UTC | #6
Hello Michael,

Michael Tremer:
> Hi,
> 
> On Sun, 2016-01-10 at 17:25 +0100, IT Superhack wrote:
>> Hello Michael, hello Matthias,
>>
>> Michael Tremer:
>>> Just out of curiosity, why do you find this information so helpful?
>>
>> As Matthias said already, is is more a "nice to have" than something
>> which is seriously needed.
> 
> This is not too much of an argument. My argument against this is that
> it brings down page load times because of a not too useful information.
> 
>> I wrote this patch because a friend of mine in France discovered that
>> his ISP assigns DNS servers from Australia and Great Britain, which
>> was slowing down DNS resolving a lot.
> 
> I get that and this is actually a pretty good one.
> 
> That only leaves resolvers like 8.8.8.8 which will show "US" but
> actually are located at many places around the world. Let's hope that
> people don't get the wrong thing from the flag - or actually start
> changing their DNS servers to something else :)
> 
>> Therefore I thougt it might be useful to see in which countries your
>> DNS servers are located, just in case you didn't set some by your
>> own.
> 
> It is sometimes. Although geographic location doesn't mean that it is
> close on the network.
> 
> A system in GB is probably not an issue. Australia actually is a bit
> far away.
The problem here was something else: A couple of months ago, his ISP
assigned DNS servers in France, which worked quite well and belonged
to the ISP, according to whois information.

The list of assigned DNS servers must have changed somewhere in the
meantime, and he still does not know why since the ISP does not answer
related questions.

So, if your ISP suddenly assigns you DNS servers in a very different location
than it has done long before, you know that something might be wrong here.
(The Quantumhand-program of the NSA lists "DNS injection" as a possible
method to impersonate a server - why not even change the DNS server to
one they own? Would be much easier...) 
[http://securityaffairs.co/wordpress/23129/hacking/quantumhand-nsa-impersonates-facebook-inject-malware.html]
> 
>> In general, adding geographic information to IP addresses is very
>> helpful in my point of view because anomalies can be detected much
>> better and more precise firewall rules are possible.
> 
> I don't get why.
For example, many active connections from an internal host to china,
korea or an african country might indicate that a host is infected.
If someone need to call ipinfo.cgi for every IP he/she/it does not know,
it will end in a nightmare...
> 
>> However, some thing might still be improved: For example, the
>> ipinfo.cgi
>> file shows the IP address, the rDNS name, whois information, but not
>> the appropriate flag. So, if someone scrolls through the connection
>> tracking
>> page, he/she/it sees the source and destination IPs of any active
>> (and
>> recently closed) connection. At the moment, there is no way of
>> telling
>> which country an IP belongs to - without using additional web
>> services, of
>> course - since the flag is shown neither at the connection tracking
>> page
>> nor at the ipinfo.cgi page. This isn't very helpful, is it?
> 
> The ipinfo.cgi page shows the whois information for an IP address. That
> may contain the name and HQ location of a company this IP address
> belongs to, but that does *not* mean that the host is actually located
> in that country - and almost certainly not at that address.
That's right, GeoIP shows the location of the server and not those of
its owner.

But looking at this whois output:

CariNet, Inc. NET-26 (NET-71-6-158-128-1) 71.6.158.128 - 71.6.158.191
CariNet, Inc. CARINET-5 (NET-71-6-128-0-1) 71.6.128.0 - 71.6.255.255

Not very helpful in first place, is it? ;-)
> 
> The GeoIP database is a completely different thing.
> 
> Judging by the location of the host does make any sense if you care
> about security.
Basically, yes. As I mentioned above, GeoIP makes more sense to detect
anomalies and to allow, e.g., only VPN access from countries which are
necessary.
> 
>>
>> That is basically the motivation behind the two patches I submitted
>> recently.
>>
>> Best regards,
>> Timmothy Wilson
Best regards,
Timmothy Wilson
Michael Tremer Jan. 19, 2016, 12:30 p.m. UTC | #7
Hi,

On Mon, 2016-01-11 at 09:10 +0100, IT Superhack wrote:
> Hello Michael,
> 
> Michael Tremer:
> > Hi,
> > 
> > On Sun, 2016-01-10 at 17:25 +0100, IT Superhack wrote:
> > > Hello Michael, hello Matthias,
> > > 
> > > Michael Tremer:
> > > > Just out of curiosity, why do you find this information so
> > > > helpful?
> > > 
> > > As Matthias said already, is is more a "nice to have" than
> > > something
> > > which is seriously needed.
> > 
> > This is not too much of an argument. My argument against this is
> > that
> > it brings down page load times because of a not too useful
> > information.
> > 
> > > I wrote this patch because a friend of mine in France discovered
> > > that
> > > his ISP assigns DNS servers from Australia and Great Britain,
> > > which
> > > was slowing down DNS resolving a lot.
> > 
> > I get that and this is actually a pretty good one.
> > 
> > That only leaves resolvers like 8.8.8.8 which will show "US" but
> > actually are located at many places around the world. Let's hope
> > that
> > people don't get the wrong thing from the flag - or actually start
> > changing their DNS servers to something else :)
> > 
> > > Therefore I thougt it might be useful to see in which countries
> > > your
> > > DNS servers are located, just in case you didn't set some by your
> > > own.
> > 
> > It is sometimes. Although geographic location doesn't mean that it
> > is
> > close on the network.
> > 
> > A system in GB is probably not an issue. Australia actually is a
> > bit
> > far away.
> The problem here was something else: A couple of months ago, his ISP
> assigned DNS servers in France, which worked quite well and belonged
> to the ISP, according to whois information.
> 
> The list of assigned DNS servers must have changed somewhere in the
> meantime, and he still does not know why since the ISP does not
> answer
> related questions.
> 
> So, if your ISP suddenly assigns you DNS servers in a very different
> location
> than it has done long before, you know that something might be wrong
> here.
> (The Quantumhand-program of the NSA lists "DNS injection" as a
> possible
> method to impersonate a server - why not even change the DNS server
> to
> one they own? Would be much easier...) 
> [http://securityaffairs.co/wordpress/23129/hacking/quantumhand-nsa-im
> personates-facebook-inject-malware.html]

Yeah, I get where you are coming from. The flag however won't change
much here. A check if the IP address of the DNS servers are part of the
AS of the ISP would be a better one to find fakes.

A latency check would find name servers that are "too far" away on the
network.

The GeoIP information just very loosely corresponds to a few of these
things. Nothing more in my opinion.

> > 
> > > In general, adding geographic information to IP addresses is very
> > > helpful in my point of view because anomalies can be detected
> > > much
> > > better and more precise firewall rules are possible.
> > 
> > I don't get why.
> For example, many active connections from an internal host to china,
> korea or an african country might indicate that a host is infected.
> If someone need to call ipinfo.cgi for every IP he/she/it does not
> know,
> it will end in a nightmare...

Nobody will check this at the right time. Something like snort would
help you more here.

> > 
> > > However, some thing might still be improved: For example, the
> > > ipinfo.cgi
> > > file shows the IP address, the rDNS name, whois information, but
> > > not
> > > the appropriate flag. So, if someone scrolls through the
> > > connection
> > > tracking
> > > page, he/she/it sees the source and destination IPs of any active
> > > (and
> > > recently closed) connection. At the moment, there is no way of
> > > telling
> > > which country an IP belongs to - without using additional web
> > > services, of
> > > course - since the flag is shown neither at the connection
> > > tracking
> > > page
> > > nor at the ipinfo.cgi page. This isn't very helpful, is it?
> > 
> > The ipinfo.cgi page shows the whois information for an IP address.
> > That
> > may contain the name and HQ location of a company this IP address
> > belongs to, but that does *not* mean that the host is actually
> > located
> > in that country - and almost certainly not at that address.
> That's right, GeoIP shows the location of the server and not those of
> its owner.

No, still wrong. Just check 8.8.8.8. GeoIP will show you US. It is
actually an anycast with many hosts in the world. That is quite typical
for name servers.

This *must* be added to the documentation in the wiki and state very
clearly that this information is never very accurate and especially
with name servers less accurate than usually to expect.

> But looking at this whois output:
> 
> CariNet, Inc. NET-26 (NET-71-6-158-128-1) 71.6.158.128 - 71.6.158.191
> CariNet, Inc. CARINET-5 (NET-71-6-128-0-1) 71.6.128.0 - 71.6.255.255
> 
> Not very helpful in first place, is it? ;-)

Why not?

> > 
> > The GeoIP database is a completely different thing.
> > 
> > Judging by the location of the host does make any sense if you care
> > about security.
> Basically, yes. As I mentioned above, GeoIP makes more sense to
> detect
> anomalies and to allow, e.g., only VPN access from countries which
> are
> necessary.

You should know that IPFire downloads this GeoIP database from an
untrusted source over an untrusted connection.

> > 
> > > 
> > > That is basically the motivation behind the two patches I
> > > submitted
> > > recently.
> > > 
> > > Best regards,
> > > Timmothy Wilson
> Best regards,
> Timmothy Wilson
> 

-Michael
IT Superhack Jan. 19, 2016, 5:57 p.m. UTC | #8
Hello,
Michael Tremer:
> Hi,
> 
> On Mon, 2016-01-11 at 09:10 +0100, IT Superhack wrote:
>> Hello Michael,
>>
>> Michael Tremer:
>>> Hi,
>>>
>>> On Sun, 2016-01-10 at 17:25 +0100, IT Superhack wrote:
>>>> Hello Michael, hello Matthias,
>>>>
>>>> Michael Tremer:
>>>>> Just out of curiosity, why do you find this information so
>>>>> helpful?
>>>>
>>>> As Matthias said already, is is more a "nice to have" than
>>>> something
>>>> which is seriously needed.
>>>
>>> This is not too much of an argument. My argument against this is
>>> that
>>> it brings down page load times because of a not too useful
>>> information.
>>>
>>>> I wrote this patch because a friend of mine in France discovered
>>>> that
>>>> his ISP assigns DNS servers from Australia and Great Britain,
>>>> which
>>>> was slowing down DNS resolving a lot.
>>>
>>> I get that and this is actually a pretty good one.
>>>
>>> That only leaves resolvers like 8.8.8.8 which will show "US" but
>>> actually are located at many places around the world. Let's hope
>>> that
>>> people don't get the wrong thing from the flag - or actually start
>>> changing their DNS servers to something else :)
>>>
>>>> Therefore I thougt it might be useful to see in which countries
>>>> your
>>>> DNS servers are located, just in case you didn't set some by your
>>>> own.
>>>
>>> It is sometimes. Although geographic location doesn't mean that it
>>> is
>>> close on the network.
>>>
>>> A system in GB is probably not an issue. Australia actually is a
>>> bit
>>> far away.
>> The problem here was something else: A couple of months ago, his ISP
>> assigned DNS servers in France, which worked quite well and belonged
>> to the ISP, according to whois information.
>>
>> The list of assigned DNS servers must have changed somewhere in the
>> meantime, and he still does not know why since the ISP does not
>> answer
>> related questions.
>>
>> So, if your ISP suddenly assigns you DNS servers in a very different
>> location
>> than it has done long before, you know that something might be wrong
>> here.
>> (The Quantumhand-program of the NSA lists "DNS injection" as a
>> possible
>> method to impersonate a server - why not even change the DNS server
>> to
>> one they own? Would be much easier...) 
>> [http://securityaffairs.co/wordpress/23129/hacking/quantumhand-nsa-im
>> personates-facebook-inject-malware.html]
> 
> Yeah, I get where you are coming from. The flag however won't change
> much here. A check if the IP address of the DNS servers are part of the
> AS of the ISP would be a better one to find fakes.
Great idea! I will try to develop this over the weekend. (Guess the AS
number is easy to find out, maybe there is a central database for this,
too.)
> 
> A latency check would find name servers that are "too far" away on the
> network.
I like this idea, too. Still, it requires that the nameservers answer to
ICMP packets, which is not always true... :-(
> 
> The GeoIP information just very loosely corresponds to a few of these
> things. Nothing more in my opinion.
> 
>>>
>>>> In general, adding geographic information to IP addresses is very
>>>> helpful in my point of view because anomalies can be detected
>>>> much
>>>> better and more precise firewall rules are possible.
>>>
>>> I don't get why.
>> For example, many active connections from an internal host to china,
>> korea or an african country might indicate that a host is infected.
>> If someone need to call ipinfo.cgi for every IP he/she/it does not
>> know,
>> it will end in a nightmare...
> 
> Nobody will check this at the right time. Something like snort would
> help you more here.
Proposed snot is active (not possible on ARM devices), running at that
network interface and has the correct signatures loaded, yes.
> 
>>>
>>>> However, some thing might still be improved: For example, the
>>>> ipinfo.cgi
>>>> file shows the IP address, the rDNS name, whois information, but
>>>> not
>>>> the appropriate flag. So, if someone scrolls through the
>>>> connection
>>>> tracking
>>>> page, he/she/it sees the source and destination IPs of any active
>>>> (and
>>>> recently closed) connection. At the moment, there is no way of
>>>> telling
>>>> which country an IP belongs to - without using additional web
>>>> services, of
>>>> course - since the flag is shown neither at the connection
>>>> tracking
>>>> page
>>>> nor at the ipinfo.cgi page. This isn't very helpful, is it?
>>>
>>> The ipinfo.cgi page shows the whois information for an IP address.
>>> That
>>> may contain the name and HQ location of a company this IP address
>>> belongs to, but that does *not* mean that the host is actually
>>> located
>>> in that country - and almost certainly not at that address.
>> That's right, GeoIP shows the location of the server and not those of
>> its owner.
> 
> No, still wrong. Just check 8.8.8.8. GeoIP will show you US. It is
> actually an anycast with many hosts in the world. That is quite typical
> for name servers.
> 
> This *must* be added to the documentation in the wiki and state very
> clearly that this information is never very accurate and especially
> with name servers less accurate than usually to expect.
Okay, I will add this to the DNS server list.
> 
>> But looking at this whois output:
>>
>> CariNet, Inc. NET-26 (NET-71-6-158-128-1) 71.6.158.128 - 71.6.158.191
>> CariNet, Inc. CARINET-5 (NET-71-6-128-0-1) 71.6.128.0 - 71.6.255.255
>>
>> Not very helpful in first place, is it? ;-)
> 
> Why not?
There is no address, no abuse contact, just these two lines. Now you
may start searching, and with no luck, there will be more than one company
called "CariNet" out there...

I do not expect whois outputs to be user friendly, but I expect them
to be admin friendly, which means they show me who to blame and where to
blame. ;-) Sorry, speaking for the network operators, here...
> 
>>>
>>> The GeoIP database is a completely different thing.
>>>
>>> Judging by the location of the host does make any sense if you care
>>> about security.
>> Basically, yes. As I mentioned above, GeoIP makes more sense to
>> detect
>> anomalies and to allow, e.g., only VPN access from countries which
>> are
>> necessary.
> 
> You should know that IPFire downloads this GeoIP database from an
> untrusted source over an untrusted connection.
*Sigh* Thanks for mentioning it...
> 
>>>
>>>>
>>>> That is basically the motivation behind the two patches I
>>>> submitted
>>>> recently.
>>>>
>>>> Best regards,
>>>> Timmothy Wilson
>> Best regards,
>> Timmothy Wilson
>>
> 
> -Michael
> 
Best regards,
Timmothy Wilson