your thoughts on a particualar ipfw action.

Thu Aug 11 11:06:12 UTC 2016

On Wed, 10 Aug 2016 -0300, Dr. Rolf Jansen wrote:

(just curious: whereabouts is -0300?  Brazil?)

 > > Am 08.08.2016 um 18:46 schrieb Dr. Rolf Jansen <rj at obsigna.com>:
>> I am almost finished with preparing the tools for geo-blocking and 
>> geo-routing at the firewall for submission to the FreeBSD ports.

>> I created a man file for the tools, see: 
>> https://cyclaero.github.io/ipdb/, and I added the recent suggestions 
>> on rule number/action code per country code, namely, I changed the 
>> formula for the x-flag to the suggestion of Ian (value = offset + 
>> ((C1 - 'A')*26 + (C2 - 'A'))*10), and I added the idea of directly 
>> assigning a number to a country code in the argument for the t-flag 
>> ("CC=nnnnn:...").  Furthermore, I removed the divert filter daemon 
>> from the Makefile. The source is still on GitHub, though, and can be 
>> re-vamped if necessary. Now I am going to prepare the Makefile for
>> the port.

Terrific work, Rolf!  Something for everyone, although I'm guessing the 
pf people are going to want a piece of the action, if they need any more 
than the -p option and a bit of scripting.

 > I just submitted a PR asking to add the new port 'sysutils/ipdbtools'.
 > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211744

Wonderful.

 > I needed to change the name of the geoip tool, because GeoIP® is a
 > registered trademark of MaxMind, Inc., see www.maxmind.com. The name 

I did wonder about that ..

 > of the tool is now 'ipup' = abbreviated form of IP geo location table 
 > generation and look- UP , that is without the boring middle part :-D
 >
 > Those, who used geoip already in some scripts, please excuse the
 > inconvenience of needing to change the name.

 > With the great help of Julian, I was able to improve the man file and
 > the latest version can be read online:
 >
 >   https://cyclaero.github.io/ipdb/

Nice manual and all.  A few typos noted below (niggly Virgo proofreader)

I must apologise for added exasperation earlier.  I was tending towards 
conflating several other ipfw issues under discussion (named states, new 
state actions, and this).  Sorry if I bumped you off course momentarily, 
though I don't seem to have slowed you down too much ..

As a hopefully not unwelcome aside, it's a pity that IBM, of all people, 
couldn't manage geo-blocking successfully for the Australian Census the 
other night.  Next time around we can offer them a working geo-blocking 
firewall/router for a good deal less than the AU$9.6M we've paid IBM :)

Census: How the Government says the website meltdown unfolded:
http://www.abc.net.au/news/2016-08-10/census-night-how-the-shambles-unfolded/7712964

A more tech-savvy article than ABC or other news media managed so far:
https://www.theguardian.com/australia-news/2016/aug/10/computer-says-no-australian-census-shambles-explanation-depends-on-who-you-ask

cheers, Ian

=======

It is suitable for inclusion into cron.  "for invocation by cron" maybe?

ipdb_update.sh has IPRanges="/usr/local/etc/ipdb/IPRanges" but some (not 
all) mentions in the manpage use "IP-Ranges" with a hyphen, including 
the FILES section.  Also the last one there repeats "*bst.v4" for IPv6.

It's not quite clear how to specify an 'empty CC list'? ''? ""? either?

"from certain [countries?] we don't like .."

"piped into sort of [or?] a pre-processing command .."

=======