ipfw divert filter for IPv4 geo-blocking

Dr. Rolf Jansen rj at obsigna.com
Wed Jul 27 21:15:42 UTC 2016 

> Am 27.07.2016 um 17:08 schrieb olli hauer <ohauer at gmx.de>:
> On 2016-07-27 15:36, Dr. Rolf Jansen wrote:
>> 
>> I finished adding a second usage form for the geoip tool, namely generation of ipfw table construction directives filtered by country codes.
>> 
>> ______________
>> $ geoip -h
>> geoip v1.0.1 (16), Copyright © 2016 Dr. Rolf Jansen
>> 
>> Usage:
>> 
>> 1) look-up the country code belonging to an IPv4 address given by the last command line argument:
>> 
>>   geoip [-r bstfile] [-h] <dotted IPv4 address>
>>      <IPv4 address>    a dotted IPv4 address to be looked-up.
>> 
>> 2) generate a sorted list of IPv4 address/masklen pairs per country code, formatted as ipfw table construction directives:
>> 
>>   geoip -t [CC:DD:EE:..] [-n table number] [-v table value] [-r bstfile] [-h]
>> 
>>      -t [CC:DD:EE:..]  output all IPv4 address/masklen pairs belonging to the listed countries, given by 2 letter
>>                        capital country codes, separated by colon. An empty CC list means any country code.
>>      -n table number   the ipfw table number between 0 and 65534 [default: 0].
>>      -v table value    the 32-bit unsigned value of the ipfw table entry [default: 0].
>> 
>> valid arguments in both usage forms:
>> 
>>      -r bstfile        the path to the binary file with the consolidated IP ranges that has been.
>>                        generated by the 'ipdb' tool [default: /usr/local/etc/ipdb/IPRanges/ipcc.bst].
>>      -h                show these usage instructions.
>> ______________
>> 
>> With that, the ipfw configuration script may contain something alike:
>> 
>>>>    # allow only web access from DE, BR, US:
>>    /usr/local/bin/geoip -t DE:BR:US -n 7 | /sbin/ipfw -q /dev/stdin
>>    /sbin/ipfw -q add 70 deny tcp from not table\(7\) to any 80,443 in recv WAN_if setup
>>>> 
>> OR, the other way around:
>>>>    # deny web access from certain disgraceful regions:
>>    /usr/local/bin/geoip -t KO:TR:SA:RU:GB -n 66 | /sbin/ipfw -q /dev/stdin
>>    /sbin/ipfw -q add 70 allow tcp from not table\(66\) to any 80,443 in recv WAN_if setup
>>>> ____________
> 
> Nice work :)
> 
> Now it is also possible to use geoip to create files usable for pf.
> (just pipe the output through sed -e 's/table 0 add //')
> 
> Perhaps the following diff for Makefile is useful.
> - use PREFIX instead hard coded path
> - use "install -s" instead "strip -x -o"
> - use "install -m" instead "cp ; chmod"

I changed the Makefile according to your suggestions, and I added another command line option to the geoip tool:

…
      -p   plain IP table generation, i.e. without ipfw construction directives, -n and -v flags are ignored.
…

The changes are already uploaded to GitHub.

Best regards

Rolf

More information about the freebsd-ipfw mailing list