your thoughts on a particualar ipfw action.

[Dr. Rolf Jansen]

> Am 11.08.2016 um 08:06 schrieb Ian Smith <smithi at nimnet.asn.au>:
> On Wed, 10 Aug 2016 -0300, Dr. Rolf Jansen wrote:
> 
> (just curious: whereabouts is -0300?  Brazil?)

Yes, I am a German living in Brazil for more than 10 years now. BTW, your mail provider is blocking my mails, perhaps, because the origin is Brazil, but I am using a German provider for my mail transport.

>>> Am 08.08.2016 um 18:46 schrieb Dr. Rolf Jansen <rj at obsigna.com>:
>>> I am almost finished with preparing the tools for geo-blocking and 
>>> geo-routing at the firewall for submission to the FreeBSD ports.
> 
>>> I created a man file for the tools, see: 
>>> https://cyclaero.github.io/ipdb/, and I added the recent suggestions 
>>> on rule number/action code per country code, namely, I changed the 
>>> formula for the x-flag to the suggestion of Ian (value = offset + 
>>> ((C1 - 'A')*26 + (C2 - 'A'))*10), and I added the idea of directly 
>>> assigning a number to a country code in the argument for the t-flag 
>>> ("CC=nnnnn:...").  Furthermore, I removed the divert filter daemon 
>>> from the Makefile. The source is still on GitHub, though, and can be 
>>> re-vamped if necessary. Now I am going to prepare the Makefile for
>>> the port.
> 
> Terrific work, Rolf!  Something for everyone, although I'm guessing the 
> pf people are going to want a piece of the action, if they need any more 
> than the -p option and a bit of scripting.

It is not that much work, to add other output options. The main obstacle for me is, that I won't be able to test it carefully together with pf. So, it would be good to do this in cooperation with someone who got a well running pf firewall -- the same holds for other possible applications as well.

>> I just submitted a PR asking to add the new port 'sysutils/ipdbtools'.
>> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211744
> 
> Wonderful.

The port maintainers were really quick. The port has been accepted and has been already committed.

>> I needed to change the name of the geoip tool, because GeoIP® is a
>> registered trademark of MaxMind, Inc., see www.maxmind.com. The name 
> 
> I did wonder about that ..
> 
>> of the tool is now 'ipup' = abbreviated form of IP geo location table 
>> generation and look- UP , that is without the boring middle part :-D
>> 
>> Those, who used geoip already in some scripts, please excuse the
>> inconvenience of needing to change the name.
> 
>> With the great help of Julian, I was able to improve the man file and
>> the latest version can be read online:
>> 
>>  https://cyclaero.github.io/ipdb/
> 
> Nice manual and all.  A few typos noted below (niggly Virgo proofreader)

I was tempted to get these last changes into my PR, but I am sorry, it was too late for the initial release. I committed the corrected man file to the GitHub repository, though, it will automatically go into the next release of the ipdbtools, perhaps together with some additions for using it together with pf(8) and route(8).

> I must apologise for added exasperation earlier.  I was tending towards 
> conflating several other ipfw issues under discussion (named states, new 
> state actions, and this).  Sorry if I bumped you off course momentarily, 
> though I don't seem to have slowed you down too much ..

Nothing, to be sorry about. I like discussions.

> As a hopefully not unwelcome aside, it's a pity that IBM, of all people, 
> couldn't manage geo-blocking successfully for the Australian Census the 
> other night.  Next time around we can offer them a working geo-blocking 
> firewall/router for a good deal less than the AU$9.6M we've paid IBM :)
> 
> Census: How the Government says the website meltdown unfolded:
> http://www.abc.net.au/news/2016-08-10/census-night-how-the-shambles-unfolded/7712964
> 
> A more tech-savvy article than ABC or other news media managed so far:
> https://www.theguardian.com/australia-news/2016/aug/10/computer-says-no-australian-census-shambles-explanation-depends-on-who-you-ask

Well, I tend to believe that this has nothing to do with DoS attacks, I mean, of course it is DoS, but not caused by an attack. Exactly the same happens every year on 30th of April between 17:00 and 24:00 on the servers of the Federal Bureau of Finance here in Brazil. That is the deadline for the online-submission of the annual tax declaration of the Brazilian citizens. Seems that the bureaucrats all over the world share the same deficiency of creative problem solving.

Who in the bureaucrats hell told them to go with one deadline for everybody? For the census in Australia, I would have told the citizens that everybody got an individual deadline which is his or her birthday in 2016 -- problem solved.

> =======
> 
> It is suitable for inclusion into cron.  "for invocation by cron" maybe?

OK, "invocation by" sounds better (for me)

> ipdb_update.sh has IPRanges="/usr/local/etc/ipdb/IPRanges" but some (not 
> all) mentions in the manpage use "IP-Ranges" with a hyphen, including 
> the FILES section.  Also the last one there repeats "*bst.v4" for IPv6.

OK, corrected

> It's not quite clear how to specify an 'empty CC list'? ''? ""? either?

Well, in the Synopsis and in the description of the second usage form there was already ... | "". Now, I clarified this in the description as well as follows:

"An empty CC list (denoted by "") means any country code."


> "from certain [countries?] we don't like .."

OK

> "piped into sort of [or?] a pre-processing command .."

OK, I removed "sort of", leaving "... piped into a pre-processing command ..."

> 
> =======

As already said, the corrections are not part of the initial release into the FreeBSD ports, for this one it was too late. The man file on GitHub is corrected already.

Best regards

Rolf