your thoughts on a particualar ipfw action.
Ian Smith
smithi at nimnet.asn.au
Thu Aug 11 11:06:12 UTC 2016
On Wed, 10 Aug 2016 -0300, Dr. Rolf Jansen wrote:
(just curious: whereabouts is -0300? Brazil?)
> > Am 08.08.2016 um 18:46 schrieb Dr. Rolf Jansen <rj at obsigna.com>:
>> I am almost finished with preparing the tools for geo-blocking and
>> geo-routing at the firewall for submission to the FreeBSD ports.
>> I created a man file for the tools, see:
>> https://cyclaero.github.io/ipdb/, and I added the recent suggestions
>> on rule number/action code per country code, namely, I changed the
>> formula for the x-flag to the suggestion of Ian (value = offset +
>> ((C1 - 'A')*26 + (C2 - 'A'))*10), and I added the idea of directly
>> assigning a number to a country code in the argument for the t-flag
>> ("CC=nnnnn:..."). Furthermore, I removed the divert filter daemon
>> from the Makefile. The source is still on GitHub, though, and can be
>> re-vamped if necessary. Now I am going to prepare the Makefile for
>> the port.
Terrific work, Rolf! Something for everyone, although I'm guessing the
pf people are going to want a piece of the action, if they need any more
than the -p option and a bit of scripting.
> I just submitted a PR asking to add the new port 'sysutils/ipdbtools'.
> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211744
Wonderful.
> I needed to change the name of the geoip tool, because GeoIP® is a
> registered trademark of MaxMind, Inc., see www.maxmind.com. The name
I did wonder about that ..
> of the tool is now 'ipup' = abbreviated form of IP geo location table
> generation and look- UP , that is without the boring middle part :-D
>
> Those, who used geoip already in some scripts, please excuse the
> inconvenience of needing to change the name.
> With the great help of Julian, I was able to improve the man file and
> the latest version can be read online:
>
> https://cyclaero.github.io/ipdb/
Nice manual and all. A few typos noted below (niggly Virgo proofreader)
I must apologise for added exasperation earlier. I was tending towards
conflating several other ipfw issues under discussion (named states, new
state actions, and this). Sorry if I bumped you off course momentarily,
though I don't seem to have slowed you down too much ..
As a hopefully not unwelcome aside, it's a pity that IBM, of all people,
couldn't manage geo-blocking successfully for the Australian Census the
other night. Next time around we can offer them a working geo-blocking
firewall/router for a good deal less than the AU$9.6M we've paid IBM :)
Census: How the Government says the website meltdown unfolded:
http://www.abc.net.au/news/2016-08-10/census-night-how-the-shambles-unfolded/7712964
A more tech-savvy article than ABC or other news media managed so far:
https://www.theguardian.com/australia-news/2016/aug/10/computer-says-no-australian-census-shambles-explanation-depends-on-who-you-ask
cheers, Ian
=======
It is suitable for inclusion into cron. "for invocation by cron" maybe?
ipdb_update.sh has IPRanges="/usr/local/etc/ipdb/IPRanges" but some (not
all) mentions in the manpage use "IP-Ranges" with a hyphen, including
the FILES section. Also the last one there repeats "*bst.v4" for IPv6.
It's not quite clear how to specify an 'empty CC list'? ''? ""? either?
"from certain [countries?] we don't like .."
"piped into sort of [or?] a pre-processing command .."
=======
More information about the freebsd-ipfw
mailing list