ipfw divert filter for IPv4 geo-blocking
Michael Sierchio
kudzu at tenebras.com
Mon Jul 25 15:47:30 UTC 2016
Writing a divert daemon is a praiseworthy project, but I think you could do
this without sending packets to user land.
You could use tables - in fact, a single table of consolidated nets by
country, in which the table entry is a CIDR block and the table arg is a
country code - and you match on table arg. You could simply put nets you
want to block in a table, and dispense with table args. That is how I do
it.
In order to do changes atomically, you need a pair of tables and a pair of
rulesets, and you can swap rulesets when you have built the new table.
On Jul 25, 2016 07:29, "Dr. Rolf Jansen" <rj at cyclaero.com> wrote:
> I have written a ipfw divert filter daemon for IPv4 geo-blocking. It is
> working flawlessly on two server installations since a week.
>
> Anyway, I am still in doubt whether I do the blocking in the correct way.
> Once the filter receives a packet from the respective divert socket it
> looks up the country code of the source IP in the IP-Ranges database, and
> if the country code shall be allowed then it returns the unaltered packet
> via said socket, otherwise, the filter does no further processing, so the
> packet is effectively gone, lost, dropped, discarded, or whatever would be
> the correct terminology. Is this the really the correct way of denying a
> packet, or is it necessary to inform ipfw somehow about the circumstances,
> so it can run a proper dropping procedure?
>
> I uploaded the filter + accompanying tools to GitHub
>
> https://github.com/cyclaero/ipdb
>
> Many thnaks for any advices in advance.
>
> Best regards
>
> Rolf
>
>
> _______________________________________________
> freebsd-ipfw at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"
>
More information about the freebsd-ipfw
mailing list