ipfw divert filter for IPv4 geo-blocking
Michael Sierchio
kudzu at tenebras.com
Tue Jul 26 17:40:31 UTC 2016
On Tue, Jul 26, 2016 at 9:26 AM, Julian Elischer <julian at freebsd.org> wrote:
table 1 { DE, NL } -> 10000,
>> { US, UK } -> 10100
>> table 2 { CN, KO, TR } -> 20000
>>
> why multiple tables?
> if you load the table at once you can assign a country code as the
> tablearg for every run of addresses. all in one table.
I mentioned that in my earlier response - but if the point is to block
entire countries (or any collection of CIDR blocks, for that matter), it's
sufficient to have a whitelist table and a blacklist table. The table arg
could also be a skipto rule number, right? And you can do policy-based
routing, with the table arg as a FIB number.
Passing the packet to userland via divert sockets was a brilliant idea in
2003. natd was pretty much the first NAT mechanism to properly handle ICMP
error responses, too.
--
"Well," Brahma said, "even after ten thousand explanations, a fool is no
wiser, but an intelligent man requires only two thousand five hundred."
- The Mahābhārata
More information about the freebsd-ipfw
mailing list