ipfw divert filter for IPv4 geo-blocking
Julian Elischer
julian at freebsd.org
Tue Jul 26 16:26:51 UTC 2016
On 26/07/2016 1:01 AM, Jan Bramkamp wrote:
>
>
> On 25/07/16 16:28, Dr. Rolf Jansen wrote:
>> I have written a ipfw divert filter daemon for IPv4 geo-blocking.
>> It is working flawlessly on two server installations since a week.
>>
>> Anyway, I am still in doubt whether I do the blocking in the
>> correct way. Once the filter receives a packet from the respective
>> divert socket it looks up the country code of the source IP in the
>> IP-Ranges database, and if the country code shall be allowed then
>> it returns the unaltered packet via said socket, otherwise, the
>> filter does no further processing, so the packet is effectively
>> gone, lost, dropped, discarded, or whatever would be the correct
>> terminology. Is this the really the correct way of denying a
>> packet, or is it necessary to inform ipfw somehow about the
>> circumstances, so it can run a proper dropping procedure?
>>
>> I uploaded the filter + accompanying tools to GitHub
>>
>> https://github.com/cyclaero/ipdb
>>
>> Many thnaks for any advices in advance.
>
> I would use a set of IPFW tables with skipto/call tablearg rules
> instead.
> Use the daemon to maintain the IPFW tables. I assume your database
> is a list of of (CIDR, country code) pairs. In that case the daemon
> config should probably map from sets of country codes to table
> values e.g.
>
> table 1 { DE, NL } -> 10000,
> { US, UK } -> 10100
> table 2 { CN, KO, TR } -> 20000
why multiple tables?
if you load the table at once you can assign a country code as the
tablearg for every run of addresses. all in one table.
>
> Next the daemon would calculate the minimal set of table entries to
> match these policies exactly and patch the kernel table contents if
> the database changes.
>
> This design avoids the userspace<->kernel copies without losing
> flexibility.
> _______________________________________________
> freebsd-ipfw at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"
>
More information about the freebsd-ipfw
mailing list