ipfw divert filter for IPv4 geo-blocking
Ian Smith
smithi at nimnet.asn.au
Fri Jul 29 06:00:37 UTC 2016
On Thu, 28 Jul 2016 23:21:01 -0300, Dr. Rolf Jansen wrote: > Am
27.07.2016 um 12:31 schrieb Julian Elischer <julian at freebsd.org>:
[..]
>> wow, wonderful!
>> with that tool, and ipfw tables we have a fully functional geo
>> blocking/munging solution in about 4 lines of shell script.
> Unfortunately, I finally discovered that ipfw tables as they are, are
> unsuitable for the given purpose, because for some reason ipfw
> mangles about 20 % of the passed IP address/masklen pairs.
> For example:
> # ipfw table 1 add 201.222.20.0/20
> # ipfw table 1 list
> --> 201.222.16.0/20 0
> $ geoip 201.222.20.1
> --> 201.222.20.1 in 201.222.20.0-201.222.31.255 in BR
> $ geoip 201.222.16.1
> --> 201.222.16.1 in 201.222.16.0-201.222.19.255 in AR
Just to add to what Julian and Lee observed, testing IPs at
<http://www.viewdns.info/whois/?domain=201.222.20.1>
(sourced from LACNIC thence whois.registro.br)
inetnum: 201.222.20/22
aut-num: AS61902
abuse-c: CSJ45
owner: Bahialink - Technology
ownerid: 004.724.687/0001-69
country: BR
So the geoip result for 201.222.20.1 is just wrong - it should return
201.222.20.0 - 201.222.23.255 (ie, /22)
and not
201.222.16.0 - 201.222.31.255 (ie, /20)
While the range for 201.222.16.1 is in fact a /22:
<http://www.viewdns.info/whois/?domain=201.222.16.1>
[..]
inetnum: 201.222.16/22
status: allocated
aut-num: N/A
owner: G2KHosting S.A.
ownerid: AR-GKSA-LACNIC
responsible: Mauro Ferraro
address: Maipu, 33,
address: 2900 - San Nicolas de los Arroyos - BA
country: AR
> Effectively, I asked ipfw to add an IP-range of Brazil to table 1,
> but it actually added another one which belongs to Argentina. This
> doesn't make too much sense, does it?
Not if geoip is returning the wrong address range for 201.222.20.1, no.
> For the time being I switched my servers back to geo-blocking with
> the divert filter daemon.
I don't know what's wrong or where, just that it is ..
How are you getting from geoip's IP range to /maskbits?
cheers, Ian
More information about the freebsd-ipfw
mailing list