your thoughts on a particualar ipfw action.
Ian Smith
smithi at nimnet.asn.au
Thu Aug 11 17:20:50 UTC 2016
On Thu, 11 Aug 2016 10:09:24 -0300, Dr. Rolf Jansen wrote:
> > Am 11.08.2016 um 08:06 schrieb Ian Smith <smithi at nimnet.asn.au>:
> > On Wed, 10 Aug 2016 -0300, Dr. Rolf Jansen wrote:
> >
> > (just curious: whereabouts is -0300? Brazil?)
>
> Yes, I am a German living in Brazil for more than 10 years now. BTW,
> your mail provider is blocking my mails, perhaps, because the origin
> is Brazil, but I am using a German provider for my mail transport.
Oops. You should have mail from smithi at someisp about sorting that out?
Cutting to recent:
> > Terrific work, Rolf! Something for everyone, although I'm guessing the
> > pf people are going to want a piece of the action, if they need any more
> > than the -p option and a bit of scripting.
>
> It is not that much work, to add other output options. The main
> obstacle for me is, that I won't be able to test it carefully
> together with pf. So, it would be good to do this in cooperation with
> someone who got a well running pf firewall -- the same holds for
> other possible applications as well.
Indeed. Once again I've suggested something I can't help with and know
next to nothing about :)
> >> I just submitted a PR asking to add the new port 'sysutils/ipdbtools'.
> >> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211744
> >
> > Wonderful.
>
> The port maintainers were really quick. The port has been accepted
> and has been already committed.
So it has, on refreshing the page. Smooth and fast.
Re __uint128_t I _guess_ there may be macro/s to do that maths for i386?
> >> With the great help of Julian, I was able to improve the man file and
> >> the latest version can be read online:
> >>
> >> https://cyclaero.github.io/ipdb/
> >
> > Nice manual and all. A few typos noted below (niggly Virgo proofreader)
>
> I was tempted to get these last changes into my PR, but I am sorry,
Not at all; nothing that might confuse or deter anybody .. niggles.
> it was too late for the initial release. I committed the corrected
> man file to the GitHub repository, though, it will automatically go
> into the next release of the ipdbtools, perhaps together with some
> additions for using it together with pf(8) and route(8).
Great. Looking forward to having a play, albeit on a box not running
any external services currently, to scope it out.
> Nothing, to be sorry about. I like discussions.
Ok, no sorrow either way ..
> > As a hopefully not unwelcome aside, it's a pity that IBM, of all people,
> > couldn't manage geo-blocking successfully for the Australian Census the
> > other night. Next time around we can offer them a working geo-blocking
> > firewall/router for a good deal less than the AU$9.6M we've paid IBM :)
> >
> > Census: How the Government says the website meltdown unfolded:
> > http://www.abc.net.au/news/2016-08-10/census-night-how-the-shambles-unfolded/7712964
> >
> > A more tech-savvy article than ABC or other news media managed so far:
> > https://www.theguardian.com/australia-news/2016/aug/10/computer-says-no-australian-census-shambles-explanation-depends-on-who-you-ask
>
> Well, I tend to believe that this has nothing to do with DoS attacks,
Some should have been expected, planned for, mitigation anticipated, as
well as expecting at least 5 times the legit connections/hr they tested
for, and as the guardian article pointed to, their DNS was screwed in
several ways: way too long TTL (can't move fast), hard-coded subdomain
in SSL cert (couldn't readily add load-sharing capacity?) and such.
But they admit the geo-blocking fell over - whether inline as firewall
or on another server fielding lookup requests not disclosed - but they
say that failure caused a/the/some router to fail (crash? explode? :)
IBM, FFS! but they'll point to govt specs and disclaim hardware failure
but still it's not great product endorsement for their SoftLayer Cloud.
> I mean, of course it is DoS, but not caused by an attack. Exactly the
> same happens every year on 30th of April between 17:00 and 24:00 on
> the servers of the Federal Bureau of Finance here in Brazil. That is
> the deadline for the online-submission of the annual tax declaration
> of the Brazilian citizens. Seems that the bureaucrats all over the
> world share the same deficiency of creative problem solving.
Seems it's a requirement for the job, world wide. Creativity is scary,
but you think they could guess that ~8 million households in the eastern
timezone were going to have dinner then do their census within ~2 hours.
> Who in the bureaucrats hell told them to go with one deadline for
> everybody? For the census in Australia, I would have told the
> citizens that everybody got an individual deadline which is his or
> her birthday in 2016 -- problem solved.
That'd be great load-balancing .. shall I let them know? :)
> > It's not quite clear how to specify an 'empty CC list'? ''? ""? either?
>
> Well, in the Synopsis and in the description of the second usage form
> there was already ... | "". Now, I clarified this in the description
> as well as follows:
>
> "An empty CC list (denoted by "") means any country code."
Clearer; my old browser was rendering "" to look like '"' ie misspaced.
> As already said, the corrections are not part of the initial release
> into the FreeBSD ports, for this one it was too late. The man file on
> GitHub is corrected already.
>
> Best regards
>
> Rolf
All good. Even better when I find what's blocking your host|IP.
cheers, Ian
More information about the freebsd-ipfw
mailing list