Date: Mon, 25 Jul 2016 11:28:58 -0300 From: "Dr. Rolf Jansen" <rj@cyclaero.com> To: freebsd-ipfw@freebsd.org Subject: ipfw divert filter for IPv4 geo-blocking Message-ID: <61DFB3E2-6E34-4EEA-8AC6-70094CEACA72@cyclaero.com>
index | next in thread | raw e-mail
I have written a ipfw divert filter daemon for IPv4 geo-blocking. It is working flawlessly on two server installations since a week. Anyway, I am still in doubt whether I do the blocking in the correct way. Once the filter receives a packet from the respective divert socket it looks up the country code of the source IP in the IP-Ranges database, and if the country code shall be allowed then it returns the unaltered packet via said socket, otherwise, the filter does no further processing, so the packet is effectively gone, lost, dropped, discarded, or whatever would be the correct terminology. Is this the really the correct way of denying a packet, or is it necessary to inform ipfw somehow about the circumstances, so it can run a proper dropping procedure? I uploaded the filter + accompanying tools to GitHub https://github.com/cyclaero/ipdb Many thnaks for any advices in advance. Best regards Rolfhelp
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?61DFB3E2-6E34-4EEA-8AC6-70094CEACA72>