ipfw divert filter for IPv4 geo-blocking
Julian Elischer
julian at freebsd.org
Tue Jul 26 19:05:46 UTC 2016
On 27/07/2016 1:40 AM, Michael Sierchio wrote:
> On Tue, Jul 26, 2016 at 9:26 AM, Julian Elischer <julian at freebsd.org> wrote:
>
> table 1 { DE, NL } -> 10000,
>>> { US, UK } -> 10100
>>> table 2 { CN, KO, TR } -> 20000
>>>
>> why multiple tables?
>> if you load the table at once you can assign a country code as the
>> tablearg for every run of addresses. all in one table.
>
> I mentioned that in my earlier response - but if the point is to block
> entire countries (or any collection of CIDR blocks, for that matter), it's
> sufficient to have a whitelist table and a blacklist table. The table arg
> could also be a skipto rule number, right? And you can do policy-based
> routing, with the table arg as a FIB number.
>
> Passing the packet to userland via divert sockets was a brilliant idea in
> 2003. natd was pretty much the first NAT mechanism to properly handle ICMP
> error responses, too.
2003? nahh we wrote it and divert in 96 :-)
>
More information about the freebsd-ipfw
mailing list