From owner-freebsd-ipfw@freebsd.org Mon Aug 8 16:08:36 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 503FFBB2DC0 for ; Mon, 8 Aug 2016 16:08:36 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 324A615AE for ; Mon, 8 Aug 2016 16:08:36 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u78G8aO1019032 for ; Mon, 8 Aug 2016 16:08:36 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-ipfw@FreeBSD.org Subject: [Bug 211256] ipfw nat tablearg regression in FreeBSD 11 Date: Mon, 08 Aug 2016 16:08:36 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.0-BETA1 X-Bugzilla-Keywords: regression X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: ae@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: ae@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: assigned_to cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Aug 2016 16:08:36 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D211256 Andrey V. Elsukov changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|freebsd-ipfw@FreeBSD.org |ae@FreeBSD.org CC| |ae@FreeBSD.org --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-ipfw@freebsd.org Mon Aug 8 21:47:08 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7E7F7BB33FC for ; Mon, 8 Aug 2016 21:47:08 +0000 (UTC) (envelope-from rj@obsigna.com) Received: from mo6-p00-ob.smtp.rzone.de (mo6-p00-ob.smtp.rzone.de [IPv6:2a01:238:20a:202:5300::5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.smtp.rzone.de", Issuer "TeleSec ServerPass DE-2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1E053195C for ; Mon, 8 Aug 2016 21:47:07 +0000 (UTC) (envelope-from rj@obsigna.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1470692824; l=966; s=domk; d=obsigna.com; h=To:References:Content-Transfer-Encoding:Date:In-Reply-To:From: Subject:Mime-Version:Content-Type; bh=IvGficsPOm0pQtxokK/Fz4cQOcfYF0/DWamZEnmMavk=; b=JxeHX0Z7m5kdwkbVVzOHW/UoKOP/duQ4DdfcaWaT/V/9jQ0PZSziznlAiJr1KApTx8D ETdz0UH0P4lHKNSmWiUY2HfpsukkotDCYHI8jwRQ9+O9Gs/aqZpLGYDUOFJrWRqTvRVOO ZUZru/TDYvCMRhmd/AiabukCKWUrySOPauw= X-RZG-AUTH: :O2kGeEG7b/pS1EK7WHa0hxqKZr4lnx6UhToX1IWHkW4X7v2ImaU2B+3KSGnPFnG2J+1R5F8= X-RZG-CLASS-ID: mo00 Received: from mail.obsigna.com (bfb6cb12.virtua.com.br [191.182.203.18]) by smtp.strato.de (RZmta 38.13 DYNA|AUTH) with ESMTPSA id N0920bs78Ll3Az6 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (curve secp521r1 with 521 ECDH bits, eq. 15360 bits RSA)) (Client did not present a certificate) for ; Mon, 8 Aug 2016 23:47:03 +0200 (CEST) Received: from rolf.projectworld.net (rolf.projectworld.net [192.168.222.25]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.obsigna.com (Postfix) with ESMTPSA id 2FFDB229861E for ; Mon, 8 Aug 2016 18:47:00 -0300 (BRT) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) Subject: Re: your thoughts on a particualar ipfw action. From: "Dr. Rolf Jansen" In-Reply-To: Date: Mon, 8 Aug 2016 18:46:58 -0300 Content-Transfer-Encoding: quoted-printable Message-Id: <242DF6D8-4287-43BF-BE9F-CE1665D31ED2@obsigna.com> References: <20160805024301.H56585@sola.nimnet.asn.au> <7486c7ce-49db-b6b9-a6bb-13f04b4ce6d6@freebsd.org> To: freebsd-ipfw@freebsd.org X-Mailer: Apple Mail (2.3124) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Aug 2016 21:47:08 -0000 I am almost finished with preparing the tools for geo-blocking and = geo-routing at the firewall for submission to the FreeBSD ports. I created a man file for the tools, see: = https://cyclaero.github.io/ipdb/, and I added the recent suggestions on = rule number/action code per country code, namely, I changed the formula = for the x-flag to the suggestion of Ian (value =3D offset + ((C1 - = 'A')*26 + (C2 - 'A'))*10), and I added the idea of directly assigning a = number to a country code in the argument for the t-flag = ("CC=3Dnnnnn:..."). Furthermore, I removed the divert filter daemon from the Makefile. The = source is still on GitHub, though, and can be re-vamped if necessary. Now I am going to prepare the Makefile for the port. In the meantime, please can a native English speaker look at said man = file (s. link above)? I know, that my English is lacking, and any = corrections would be highly welcome. Best regards Rolf From owner-freebsd-ipfw@freebsd.org Thu Aug 11 01:02:34 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D27A3BB07AA for ; Thu, 11 Aug 2016 01:02:34 +0000 (UTC) (envelope-from rj@obsigna.com) Received: from mo6-p00-ob.smtp.rzone.de (mo6-p00-ob.smtp.rzone.de [IPv6:2a01:238:20a:202:5300::10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.smtp.rzone.de", Issuer "TeleSec ServerPass DE-2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 72B6B1184 for ; Thu, 11 Aug 2016 01:02:33 +0000 (UTC) (envelope-from rj@obsigna.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1470877351; l=1577; s=domk; d=obsigna.com; h=To:References:Content-Transfer-Encoding:Date:In-Reply-To:From: Subject:Mime-Version:Content-Type; bh=N2XWweoW1w75C+CYx4xx7FaRgK65RSAZcTXdjj8MUEk=; b=y4apudoOiyGvwbQNiq01MRsIX4ZFp4mH6qMlF1L1VBRjstq859w6QvjfC9qvSJYoRys /VvIaor/dJEZKDOmrtUUkThIqRaUOx/ffpuQtZIyXDE5rvLBseLMCGus3YiXDsD72zXPL tBXi3WVg4VigWbS6sl/X0ESlW4nQnr6pMV4= X-RZG-AUTH: :O2kGeEG7b/pS1EK7WHa0hxqKZr4lnx6UhToX1IWHkW4X7v2ImaU2B+3KSGnPFnG2J+1S7zVK X-RZG-CLASS-ID: mo00 Received: from mail.obsigna.com (bfb6cbed.virtua.com.br [191.182.203.237]) by smtp.strato.de (RZmta 38.13 DYNA|AUTH) with ESMTPSA id d08baas7B12UXFD (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (curve secp521r1 with 521 ECDH bits, eq. 15360 bits RSA)) (Client did not present a certificate) for ; Thu, 11 Aug 2016 03:02:30 +0200 (CEST) Received: from rolf.projectworld.net (rolf.projectworld.net [192.168.222.25]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.obsigna.com (Postfix) with ESMTPSA id CD1FD229861E for ; Wed, 10 Aug 2016 22:02:26 -0300 (BRT) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) Subject: Re: your thoughts on a particualar ipfw action. From: "Dr. Rolf Jansen" In-Reply-To: <242DF6D8-4287-43BF-BE9F-CE1665D31ED2@obsigna.com> Date: Wed, 10 Aug 2016 22:02:26 -0300 Content-Transfer-Encoding: quoted-printable Message-Id: <9D024314-57A2-4079-B630-FB0D844DD5B5@obsigna.com> References: <20160805024301.H56585@sola.nimnet.asn.au> <7486c7ce-49db-b6b9-a6bb-13f04b4ce6d6@freebsd.org> <242DF6D8-4287-43BF-BE9F-CE1665D31ED2@obsigna.com> To: freebsd-ipfw@freebsd.org X-Mailer: Apple Mail (2.3124) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Aug 2016 01:02:34 -0000 > Am 08.08.2016 um 18:46 schrieb Dr. Rolf Jansen : >=20 > I am almost finished with preparing the tools for geo-blocking and = geo-routing at the firewall for submission to the FreeBSD ports. >=20 > I created a man file for the tools, see: = https://cyclaero.github.io/ipdb/, and I added the recent suggestions on = rule number/action code per country code, namely, I changed the formula = for the x-flag to the suggestion of Ian (value =3D offset + ((C1 - = 'A')*26 + (C2 - 'A'))*10), and I added the idea of directly assigning a = number to a country code in the argument for the t-flag = ("CC=3Dnnnnn:..."). >=20 > Furthermore, I removed the divert filter daemon from the Makefile. The = source is still on GitHub, though, and can be re-vamped if necessary. >=20 > Now I am going to prepare the Makefile for the port. I just submitted a PR asking to add the new port 'sysutils/ipdbtools'. https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D211744 I needed to change the name of the geoip tool, because GeoIP=C2=AE is a = registered trademark of MaxMind, Inc., see www.maxmind.com. The name of = the tool is now 'ipup' =3D abbreviated form of IP geo location table = generation and look- UP , that is without the boring middle part :-D Those, who used geoip already in some scripts, please excuse the = inconvenience of needing to change the name. With the great help of Julian, I was able to improve the man file and = the latest version can be read online: https://cyclaero.github.io/ipdb/ Best regards Rolf From owner-freebsd-ipfw@freebsd.org Thu Aug 11 11:06:12 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AA1F3BB51F8 for ; Thu, 11 Aug 2016 11:06:12 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1BF611B7D for ; Thu, 11 Aug 2016 11:06:10 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id u7BB63Ir045130; Thu, 11 Aug 2016 21:06:04 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Thu, 11 Aug 2016 21:06:03 +1000 (EST) From: Ian Smith To: "Dr. Rolf Jansen" cc: freebsd-ipfw@freebsd.org Subject: Re: your thoughts on a particualar ipfw action. In-Reply-To: <9D024314-57A2-4079-B630-FB0D844DD5B5@obsigna.com> Message-ID: <20160811200425.F79687@sola.nimnet.asn.au> References: <20160805024301.H56585@sola.nimnet.asn.au> <7486c7ce-49db-b6b9-a6bb-13f04b4ce6d6@freebsd.org> <242DF6D8-4287-43BF-BE9F-CE1665D31ED2@obsigna.com> <9D024314-57A2-4079-B630-FB0D844DD5B5@obsigna.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: 8BIT X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Aug 2016 11:06:12 -0000 On Wed, 10 Aug 2016 -0300, Dr. Rolf Jansen wrote: (just curious: whereabouts is -0300? Brazil?) > > Am 08.08.2016 um 18:46 schrieb Dr. Rolf Jansen : >> I am almost finished with preparing the tools for geo-blocking and >> geo-routing at the firewall for submission to the FreeBSD ports. >> I created a man file for the tools, see: >> https://cyclaero.github.io/ipdb/, and I added the recent suggestions >> on rule number/action code per country code, namely, I changed the >> formula for the x-flag to the suggestion of Ian (value = offset + >> ((C1 - 'A')*26 + (C2 - 'A'))*10), and I added the idea of directly >> assigning a number to a country code in the argument for the t-flag >> ("CC=nnnnn:..."). Furthermore, I removed the divert filter daemon >> from the Makefile. The source is still on GitHub, though, and can be >> re-vamped if necessary. Now I am going to prepare the Makefile for >> the port. Terrific work, Rolf! Something for everyone, although I'm guessing the pf people are going to want a piece of the action, if they need any more than the -p option and a bit of scripting. > I just submitted a PR asking to add the new port 'sysutils/ipdbtools'. > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211744 Wonderful. > I needed to change the name of the geoip tool, because GeoIP® is a > registered trademark of MaxMind, Inc., see www.maxmind.com. The name I did wonder about that .. > of the tool is now 'ipup' = abbreviated form of IP geo location table > generation and look- UP , that is without the boring middle part :-D > > Those, who used geoip already in some scripts, please excuse the > inconvenience of needing to change the name. > With the great help of Julian, I was able to improve the man file and > the latest version can be read online: > > https://cyclaero.github.io/ipdb/ Nice manual and all. A few typos noted below (niggly Virgo proofreader) I must apologise for added exasperation earlier. I was tending towards conflating several other ipfw issues under discussion (named states, new state actions, and this). Sorry if I bumped you off course momentarily, though I don't seem to have slowed you down too much .. As a hopefully not unwelcome aside, it's a pity that IBM, of all people, couldn't manage geo-blocking successfully for the Australian Census the other night. Next time around we can offer them a working geo-blocking firewall/router for a good deal less than the AU$9.6M we've paid IBM :) Census: How the Government says the website meltdown unfolded: http://www.abc.net.au/news/2016-08-10/census-night-how-the-shambles-unfolded/7712964 A more tech-savvy article than ABC or other news media managed so far: https://www.theguardian.com/australia-news/2016/aug/10/computer-says-no-australian-census-shambles-explanation-depends-on-who-you-ask cheers, Ian ======= It is suitable for inclusion into cron. "for invocation by cron" maybe? ipdb_update.sh has IPRanges="/usr/local/etc/ipdb/IPRanges" but some (not all) mentions in the manpage use "IP-Ranges" with a hyphen, including the FILES section. Also the last one there repeats "*bst.v4" for IPv6. It's not quite clear how to specify an 'empty CC list'? ''? ""? either? "from certain [countries?] we don't like .." "piped into sort of [or?] a pre-processing command .." ======= From owner-freebsd-ipfw@freebsd.org Thu Aug 11 13:09:33 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AB30DBB478A for ; Thu, 11 Aug 2016 13:09:33 +0000 (UTC) (envelope-from rj@obsigna.com) Received: from mo6-p00-ob.smtp.rzone.de (mo6-p00-ob.smtp.rzone.de [IPv6:2a01:238:20a:202:5300::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.smtp.rzone.de", Issuer "TeleSec ServerPass DE-2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 46CE815CE for ; Thu, 11 Aug 2016 13:09:32 +0000 (UTC) (envelope-from rj@obsigna.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1470920969; l=6141; s=domk; d=obsigna.com; h=To:References:Content-Transfer-Encoding:Date:In-Reply-To:From: Subject:Mime-Version:Content-Type; bh=XslWr8YFxw6xoCfpIZb3oYXweFMo14iR55xSm8otLwQ=; b=t+d55ylzCuHyU2x4/sAskTX0Jg8gSlazQ9R72avSI40v61pW+dTDR8OiMMN6H+WHkoM esdhizLnz1NowGtzsa2o2tWrpTSsO1NDAQNY9iGz5fu+5llaV+ECC4DLg52PkSDhkwYg+ G4HUESqAcesyQPuE2RhqSAgavz0yZZ3gSaY= X-RZG-AUTH: :O2kGeEG7b/pS1EK7WHa0hxqKZr4lnx6UhToX1IWHkW4X7v2ImaU2B+3KSGnPFnK+130WokEw X-RZG-CLASS-ID: mo00 Received: from mail.obsigna.com (bfb6bdb7.virtua.com.br [191.182.189.183]) by smtp.strato.de (RZmta 38.13 DYNA|AUTH) with ESMTPSA id u0a0b2s7BD9S1Vn (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (curve secp521r1 with 521 ECDH bits, eq. 15360 bits RSA)) (Client did not present a certificate) for ; Thu, 11 Aug 2016 15:09:28 +0200 (CEST) Received: from rolf.projectworld.net (rolf.projectworld.net [192.168.222.25]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.obsigna.com (Postfix) with ESMTPSA id 43C6B229861E for ; Thu, 11 Aug 2016 10:09:25 -0300 (BRT) Content-Type: text/plain; charset=iso-8859-1 Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) Subject: Re: your thoughts on a particualar ipfw action. From: "Dr. Rolf Jansen" In-Reply-To: <20160811200425.F79687@sola.nimnet.asn.au> Date: Thu, 11 Aug 2016 10:09:24 -0300 Content-Transfer-Encoding: quoted-printable Message-Id: References: <20160805024301.H56585@sola.nimnet.asn.au> <7486c7ce-49db-b6b9-a6bb-13f04b4ce6d6@freebsd.org> <242DF6D8-4287-43BF-BE9F-CE1665D31ED2@obsigna.com> <9D024314-57A2-4079-B630-FB0D844DD5B5@obsigna.com> <20160811200425.F79687@sola.nimnet.asn.au> To: freebsd-ipfw@freebsd.org X-Mailer: Apple Mail (2.3124) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Aug 2016 13:09:33 -0000 > Am 11.08.2016 um 08:06 schrieb Ian Smith : > On Wed, 10 Aug 2016 -0300, Dr. Rolf Jansen wrote: >=20 > (just curious: whereabouts is -0300? Brazil?) Yes, I am a German living in Brazil for more than 10 years now. BTW, = your mail provider is blocking my mails, perhaps, because the origin is = Brazil, but I am using a German provider for my mail transport. >>> Am 08.08.2016 um 18:46 schrieb Dr. Rolf Jansen : >>> I am almost finished with preparing the tools for geo-blocking and=20= >>> geo-routing at the firewall for submission to the FreeBSD ports. >=20 >>> I created a man file for the tools, see:=20 >>> https://cyclaero.github.io/ipdb/, and I added the recent suggestions=20= >>> on rule number/action code per country code, namely, I changed the=20= >>> formula for the x-flag to the suggestion of Ian (value =3D offset +=20= >>> ((C1 - 'A')*26 + (C2 - 'A'))*10), and I added the idea of directly=20= >>> assigning a number to a country code in the argument for the t-flag=20= >>> ("CC=3Dnnnnn:..."). Furthermore, I removed the divert filter daemon=20= >>> from the Makefile. The source is still on GitHub, though, and can be=20= >>> re-vamped if necessary. Now I am going to prepare the Makefile for >>> the port. >=20 > Terrific work, Rolf! Something for everyone, although I'm guessing = the=20 > pf people are going to want a piece of the action, if they need any = more=20 > than the -p option and a bit of scripting. It is not that much work, to add other output options. The main obstacle = for me is, that I won't be able to test it carefully together with pf. = So, it would be good to do this in cooperation with someone who got a = well running pf firewall -- the same holds for other possible = applications as well. >> I just submitted a PR asking to add the new port = 'sysutils/ipdbtools'. >> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D211744 >=20 > Wonderful. The port maintainers were really quick. The port has been accepted and = has been already committed. >> I needed to change the name of the geoip tool, because GeoIP=AE is a >> registered trademark of MaxMind, Inc., see www.maxmind.com. The name=20= >=20 > I did wonder about that .. >=20 >> of the tool is now 'ipup' =3D abbreviated form of IP geo location = table=20 >> generation and look- UP , that is without the boring middle part :-D >>=20 >> Those, who used geoip already in some scripts, please excuse the >> inconvenience of needing to change the name. >=20 >> With the great help of Julian, I was able to improve the man file and >> the latest version can be read online: >>=20 >> https://cyclaero.github.io/ipdb/ >=20 > Nice manual and all. A few typos noted below (niggly Virgo = proofreader) I was tempted to get these last changes into my PR, but I am sorry, it = was too late for the initial release. I committed the corrected man file = to the GitHub repository, though, it will automatically go into the next = release of the ipdbtools, perhaps together with some additions for using = it together with pf(8) and route(8). > I must apologise for added exasperation earlier. I was tending = towards=20 > conflating several other ipfw issues under discussion (named states, = new=20 > state actions, and this). Sorry if I bumped you off course = momentarily,=20 > though I don't seem to have slowed you down too much .. Nothing, to be sorry about. I like discussions. > As a hopefully not unwelcome aside, it's a pity that IBM, of all = people,=20 > couldn't manage geo-blocking successfully for the Australian Census = the=20 > other night. Next time around we can offer them a working = geo-blocking=20 > firewall/router for a good deal less than the AU$9.6M we've paid IBM = :) >=20 > Census: How the Government says the website meltdown unfolded: > = http://www.abc.net.au/news/2016-08-10/census-night-how-the-shambles-unfold= ed/7712964 >=20 > A more tech-savvy article than ABC or other news media managed so far: > = https://www.theguardian.com/australia-news/2016/aug/10/computer-says-no-au= stralian-census-shambles-explanation-depends-on-who-you-ask Well, I tend to believe that this has nothing to do with DoS attacks, I = mean, of course it is DoS, but not caused by an attack. Exactly the same = happens every year on 30th of April between 17:00 and 24:00 on the = servers of the Federal Bureau of Finance here in Brazil. That is the = deadline for the online-submission of the annual tax declaration of the = Brazilian citizens. Seems that the bureaucrats all over the world share = the same deficiency of creative problem solving. Who in the bureaucrats hell told them to go with one deadline for = everybody? For the census in Australia, I would have told the citizens = that everybody got an individual deadline which is his or her birthday = in 2016 -- problem solved. > =3D=3D=3D=3D=3D=3D=3D >=20 > It is suitable for inclusion into cron. "for invocation by cron" = maybe? OK, "invocation by" sounds better (for me) > ipdb_update.sh has IPRanges=3D"/usr/local/etc/ipdb/IPRanges" but some = (not=20 > all) mentions in the manpage use "IP-Ranges" with a hyphen, including=20= > the FILES section. Also the last one there repeats "*bst.v4" for = IPv6. OK, corrected > It's not quite clear how to specify an 'empty CC list'? ''? ""? = either? Well, in the Synopsis and in the description of the second usage form = there was already ... | "". Now, I clarified this in the description as = well as follows: "An empty CC list (denoted by "") means any country code." > "from certain [countries?] we don't like .." OK > "piped into sort of [or?] a pre-processing command .." OK, I removed "sort of", leaving "... piped into a pre-processing = command ..." >=20 > =3D=3D=3D=3D=3D=3D=3D As already said, the corrections are not part of the initial release = into the FreeBSD ports, for this one it was too late. The man file on = GitHub is corrected already. Best regards Rolf From owner-freebsd-ipfw@freebsd.org Thu Aug 11 17:20:50 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5BC90BB5061 for ; Thu, 11 Aug 2016 17:20:50 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A9DF2198C for ; Thu, 11 Aug 2016 17:20:49 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id u7BHKdoF057821; Fri, 12 Aug 2016 03:20:39 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Fri, 12 Aug 2016 03:20:39 +1000 (EST) From: Ian Smith To: "Dr. Rolf Jansen" cc: freebsd-ipfw@freebsd.org Subject: Re: your thoughts on a particualar ipfw action. In-Reply-To: Message-ID: <20160812014005.V79687@sola.nimnet.asn.au> References: <20160805024301.H56585@sola.nimnet.asn.au> <7486c7ce-49db-b6b9-a6bb-13f04b4ce6d6@freebsd.org> <242DF6D8-4287-43BF-BE9F-CE1665D31ED2@obsigna.com> <9D024314-57A2-4079-B630-FB0D844DD5B5@obsigna.com> <20160811200425.F79687@sola.nimnet.asn.au> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Aug 2016 17:20:50 -0000 On Thu, 11 Aug 2016 10:09:24 -0300, Dr. Rolf Jansen wrote: > > Am 11.08.2016 um 08:06 schrieb Ian Smith : > > On Wed, 10 Aug 2016 -0300, Dr. Rolf Jansen wrote: > > > > (just curious: whereabouts is -0300? Brazil?) > > Yes, I am a German living in Brazil for more than 10 years now. BTW, > your mail provider is blocking my mails, perhaps, because the origin > is Brazil, but I am using a German provider for my mail transport. Oops. You should have mail from smithi@someisp about sorting that out? Cutting to recent: > > Terrific work, Rolf! Something for everyone, although I'm guessing the > > pf people are going to want a piece of the action, if they need any more > > than the -p option and a bit of scripting. > > It is not that much work, to add other output options. The main > obstacle for me is, that I won't be able to test it carefully > together with pf. So, it would be good to do this in cooperation with > someone who got a well running pf firewall -- the same holds for > other possible applications as well. Indeed. Once again I've suggested something I can't help with and know next to nothing about :) > >> I just submitted a PR asking to add the new port 'sysutils/ipdbtools'. > >> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211744 > > > > Wonderful. > > The port maintainers were really quick. The port has been accepted > and has been already committed. So it has, on refreshing the page. Smooth and fast. Re __uint128_t I _guess_ there may be macro/s to do that maths for i386? > >> With the great help of Julian, I was able to improve the man file and > >> the latest version can be read online: > >> > >> https://cyclaero.github.io/ipdb/ > > > > Nice manual and all. A few typos noted below (niggly Virgo proofreader) > > I was tempted to get these last changes into my PR, but I am sorry, Not at all; nothing that might confuse or deter anybody .. niggles. > it was too late for the initial release. I committed the corrected > man file to the GitHub repository, though, it will automatically go > into the next release of the ipdbtools, perhaps together with some > additions for using it together with pf(8) and route(8). Great. Looking forward to having a play, albeit on a box not running any external services currently, to scope it out. > Nothing, to be sorry about. I like discussions. Ok, no sorrow either way .. > > As a hopefully not unwelcome aside, it's a pity that IBM, of all people, > > couldn't manage geo-blocking successfully for the Australian Census the > > other night. Next time around we can offer them a working geo-blocking > > firewall/router for a good deal less than the AU$9.6M we've paid IBM :) > > > > Census: How the Government says the website meltdown unfolded: > > http://www.abc.net.au/news/2016-08-10/census-night-how-the-shambles-unfolded/7712964 > > > > A more tech-savvy article than ABC or other news media managed so far: > > https://www.theguardian.com/australia-news/2016/aug/10/computer-says-no-australian-census-shambles-explanation-depends-on-who-you-ask > > Well, I tend to believe that this has nothing to do with DoS attacks, Some should have been expected, planned for, mitigation anticipated, as well as expecting at least 5 times the legit connections/hr they tested for, and as the guardian article pointed to, their DNS was screwed in several ways: way too long TTL (can't move fast), hard-coded subdomain in SSL cert (couldn't readily add load-sharing capacity?) and such. But they admit the geo-blocking fell over - whether inline as firewall or on another server fielding lookup requests not disclosed - but they say that failure caused a/the/some router to fail (crash? explode? :) IBM, FFS! but they'll point to govt specs and disclaim hardware failure but still it's not great product endorsement for their SoftLayer Cloud. > I mean, of course it is DoS, but not caused by an attack. Exactly the > same happens every year on 30th of April between 17:00 and 24:00 on > the servers of the Federal Bureau of Finance here in Brazil. That is > the deadline for the online-submission of the annual tax declaration > of the Brazilian citizens. Seems that the bureaucrats all over the > world share the same deficiency of creative problem solving. Seems it's a requirement for the job, world wide. Creativity is scary, but you think they could guess that ~8 million households in the eastern timezone were going to have dinner then do their census within ~2 hours. > Who in the bureaucrats hell told them to go with one deadline for > everybody? For the census in Australia, I would have told the > citizens that everybody got an individual deadline which is his or > her birthday in 2016 -- problem solved. That'd be great load-balancing .. shall I let them know? :) > > It's not quite clear how to specify an 'empty CC list'? ''? ""? either? > > Well, in the Synopsis and in the description of the second usage form > there was already ... | "". Now, I clarified this in the description > as well as follows: > > "An empty CC list (denoted by "") means any country code." Clearer; my old browser was rendering "" to look like '"' ie misspaced. > As already said, the corrections are not part of the initial release > into the FreeBSD ports, for this one it was too late. The man file on > GitHub is corrected already. > > Best regards > > Rolf All good. Even better when I find what's blocking your host|IP. cheers, Ian From owner-freebsd-ipfw@freebsd.org Fri Aug 12 00:20:17 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9B554BB5BA7 for ; Fri, 12 Aug 2016 00:20:17 +0000 (UTC) (envelope-from rj@obsigna.com) Received: from mo6-p00-ob.smtp.rzone.de (mo6-p00-ob.smtp.rzone.de [IPv6:2a01:238:20a:202:5300::9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.smtp.rzone.de", Issuer "TeleSec ServerPass DE-2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 398E114E6 for ; Fri, 12 Aug 2016 00:20:16 +0000 (UTC) (envelope-from rj@obsigna.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1470961215; l=4092; s=domk; d=obsigna.com; h=To:References:Content-Transfer-Encoding:Date:In-Reply-To:From: Subject:Mime-Version:Content-Type; bh=vVB3M11DxV2Q5bCpZXRrym3zVaI7sBZX2E9uZWT9jYA=; b=xoL+yMNir86nTDkHdFGZ/PM2tGPSDJw1z8HZPhx3JhwJegWclWa/fhWR3m1GIm1Wa3A KYvS4NmAf8s7ZVkd6d7TmpW0nCGslJbi0HlQQfsGy1qW/wxLTh08dacOirbKDg5K9S0Oa 7MSqAQWTnPVp0VpW71rF1fzvhkJ3O9iYonk= X-RZG-AUTH: :O2kGeEG7b/pS1EK7WHa0hxqKZr4lnx6UhToX1IWHkW4X7v2ImaU2B+3KSGnPFnK+130WokEw X-RZG-CLASS-ID: mo00 Received: from mail.obsigna.com (bfb6bdb7.virtua.com.br [191.182.189.183]) by smtp.strato.de (RZmta 38.13 DYNA|AUTH) with ESMTPSA id e02906s7C0KENPk (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (curve secp521r1 with 521 ECDH bits, eq. 15360 bits RSA)) (Client did not present a certificate) for ; Fri, 12 Aug 2016 02:20:14 +0200 (CEST) Received: from rolf.projectworld.net (rolf.projectworld.net [192.168.222.25]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.obsigna.com (Postfix) with ESMTPSA id 3E0BD229861E for ; Thu, 11 Aug 2016 21:20:11 -0300 (BRT) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) Subject: Re: your thoughts on a particualar ipfw action. From: "Dr. Rolf Jansen" In-Reply-To: <20160812014005.V79687@sola.nimnet.asn.au> Date: Thu, 11 Aug 2016 21:20:10 -0300 Content-Transfer-Encoding: quoted-printable Message-Id: <18FB78EB-B93F-4E03-8DCC-83294133C323@obsigna.com> References: <20160805024301.H56585@sola.nimnet.asn.au> <7486c7ce-49db-b6b9-a6bb-13f04b4ce6d6@freebsd.org> <242DF6D8-4287-43BF-BE9F-CE1665D31ED2@obsigna.com> <9D024314-57A2-4079-B630-FB0D844DD5B5@obsigna.com> <20160811200425.F79687@sola.nimnet.asn.au> <20160812014005.V79687@sola.nimnet.asn.au> To: freebsd-ipfw@freebsd.org X-Mailer: Apple Mail (2.3124) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Aug 2016 00:20:17 -0000 > Am 11.08.2016 um 14:20 schrieb Ian Smith : > On Thu, 11 Aug 2016 10:09:24 -0300, Dr. Rolf Jansen wrote: >>> Am 11.08.2016 um 08:06 schrieb Ian Smith : >>> On Wed, 10 Aug 2016 -0300, Dr. Rolf Jansen wrote: >>> ... >>> ... >>>> I just submitted a PR asking to add the new port = 'sysutils/ipdbtools'. >>>> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D211744 >>>=20 >>> Wonderful. >>=20 >> The port maintainers were really quick. The port has been accepted=20 >> and has been already committed. >=20 > So it has, on refreshing the page. Smooth and fast. >=20 > Re __uint128_t I _guess_ there may be macro/s to do that maths for = i386? Yeah, I am exploring the options. Comparisons, addition and subtraction = are working already, multiplication, division and remainder operations = are a tad more difficult, I must leave this for some weekend. >>> ... >>> A more tech-savvy article than ABC or other news media managed so = far: >>> = https://www.theguardian.com/australia-news/2016/aug/10/computer-says-no-au= stralian-census-shambles-explanation-depends-on-who-you-ask >>=20 >> Well, I tend to believe that this has nothing to do with DoS attacks,=20= >=20 > Some should have been expected, planned for, mitigation anticipated, = as=20 > well as expecting at least 5 times the legit connections/hr they = tested=20 > for, and as the guardian article pointed to, their DNS was screwed in=20= > several ways: way too long TTL (can't move fast), hard-coded subdomain=20= > in SSL cert (couldn't readily add load-sharing capacity?) and such. >=20 > But they admit the geo-blocking fell over - whether inline as firewall=20= > or on another server fielding lookup requests not disclosed - but they=20= > say that failure caused a/the/some router to fail (crash? explode? :) Perhaps they did Geo-blocking in the way that I mentioned in the summary = of the ipdbtool's manual to be a no-go: ... Unfortunately, online database look-up is by far too slow for even = think- ing about being utilized on the firewall level, where IP packets need to be processed in a microsecond time scale. Therefore, a locally = maintained IP Geo-location database is indispensable in the given respect. ... > IBM, FFS! but they'll point to govt specs and disclaim hardware = failure=20 > but still it's not great product endorsement for their SoftLayer = Cloud. Natural but non-professional reaction. My mother always told us, if you = point with your index finger to others, three fingers are pointing back to = you. So IBM not only failed technically but also the PR devision did a bad = job.=20 >> I mean, of course it is DoS, but not caused by an attack. Exactly the=20= >> same happens every year on 30th of April between 17:00 and 24:00 on=20= >> the servers of the Federal Bureau of Finance here in Brazil. That is=20= >> the deadline for the online-submission of the annual tax declaration=20= >> of the Brazilian citizens. Seems that the bureaucrats all over the=20 >> world share the same deficiency of creative problem solving. >=20 > Seems it's a requirement for the job, world wide. Creativity is = scary,=20 > but you think they could guess that ~8 million households in the = eastern=20 > timezone were going to have dinner then do their census within ~2 = hours. Of course they could not guess this, because public servants are trained to assume that the normal citizen does not meet her/his obligations, and for sure they were (are) prepared to send out 8 million penalty notices in 24 hours. >> Who in the bureaucrats hell told them to go with one deadline for=20 >> everybody? For the census in Australia, I would have told the=20 >> citizens that everybody got an individual deadline which is his or=20 >> her birthday in 2016 -- problem solved. >=20 > That'd be great load-balancing .. shall I let them know? :) Doesn't cost anything giving it a try, however, you could as well slap = an ox on his horn - same effect. From owner-freebsd-ipfw@freebsd.org Fri Aug 12 04:57:07 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7F84FBB782F for ; Fri, 12 Aug 2016 04:57:07 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "vps1.elischer.org", Issuer "CA Cert Signing Authority" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 426EA1B78 for ; Fri, 12 Aug 2016 04:57:06 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from Julian-MBP3.local (ppp121-45-226-8.lns20.per1.internode.on.net [121.45.226.8]) (authenticated bits=0) by vps1.elischer.org (8.15.2/8.15.2) with ESMTPSA id u7C4utib040317 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Thu, 11 Aug 2016 21:56:58 -0700 (PDT) (envelope-from julian@freebsd.org) Subject: Re: your thoughts on a particualar ipfw action. To: "Dr. Rolf Jansen" , freebsd-ipfw@freebsd.org References: <20160805024301.H56585@sola.nimnet.asn.au> <7486c7ce-49db-b6b9-a6bb-13f04b4ce6d6@freebsd.org> <242DF6D8-4287-43BF-BE9F-CE1665D31ED2@obsigna.com> <9D024314-57A2-4079-B630-FB0D844DD5B5@obsigna.com> From: Julian Elischer Message-ID: <1123ab7a-3365-d059-7d53-862d4edafe7e@freebsd.org> Date: Fri, 12 Aug 2016 12:56:49 +0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: <9D024314-57A2-4079-B630-FB0D844DD5B5@obsigna.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Aug 2016 04:57:07 -0000 On 11/08/2016 9:02 AM, Dr. Rolf Jansen wrote: >> Am 08.08.2016 um 18:46 schrieb Dr. Rolf Jansen : >> >> I am almost finished with preparing the tools for geo-blocking and geo-routing at the firewall for submission to the FreeBSD ports. >> >> I created a man file for the tools, see: https://cyclaero.github.io/ipdb/, and I added the recent suggestions on rule number/action code per country code, namely, I changed the formula for the x-flag to the suggestion of Ian (value = offset + ((C1 - 'A')*26 + (C2 - 'A'))*10), and I added the idea of directly assigning a number to a country code in the argument for the t-flag ("CC=nnnnn:..."). >> >> Furthermore, I removed the divert filter daemon from the Makefile. The source is still on GitHub, though, and can be re-vamped if necessary. >> >> Now I am going to prepare the Makefile for the port. > I just submitted a PR asking to add the new port 'sysutils/ipdbtools'. > > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211744 > > I needed to change the name of the geoip tool, because GeoIP® is a registered trademark of MaxMind, Inc., see www.maxmind.com. The name of the tool is now 'ipup' = abbreviated form of IP geo location table generation and look- UP , that is without the boring middle part :-D Hmm I'd have gone for geotable. ipup sounds like a young dog produced by Apple. (wonder if one can change the name of a port) > > Those, who used geoip already in some scripts, please excuse the inconvenience of needing to change the name. > > With the great help of Julian, I was able to improve the man file and the latest version can be read online: > > https://cyclaero.github.io/ipdb/ > > Best regards > > Rolf > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > From owner-freebsd-ipfw@freebsd.org Fri Aug 12 05:31:47 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CAA5BBB7D7F for ; Fri, 12 Aug 2016 05:31:47 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "vps1.elischer.org", Issuer "CA Cert Signing Authority" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id AEFC7178E for ; Fri, 12 Aug 2016 05:31:47 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from Julian-MBP3.local (ppp121-45-226-8.lns20.per1.internode.on.net [121.45.226.8]) (authenticated bits=0) by vps1.elischer.org (8.15.2/8.15.2) with ESMTPSA id u7C5Vha1040441 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO) for ; Thu, 11 Aug 2016 22:31:46 -0700 (PDT) (envelope-from julian@freebsd.org) Subject: Re: your thoughts on a particualar ipfw action. To: freebsd-ipfw@freebsd.org References: <20160805024301.H56585@sola.nimnet.asn.au> <7486c7ce-49db-b6b9-a6bb-13f04b4ce6d6@freebsd.org> <242DF6D8-4287-43BF-BE9F-CE1665D31ED2@obsigna.com> <9D024314-57A2-4079-B630-FB0D844DD5B5@obsigna.com> <20160811200425.F79687@sola.nimnet.asn.au> <20160812014005.V79687@sola.nimnet.asn.au> <18FB78EB-B93F-4E03-8DCC-83294133C323@obsigna.com> From: Julian Elischer Message-ID: <8b40f50e-cff6-3be9-f6f7-7f1d7449a93e@freebsd.org> Date: Fri, 12 Aug 2016 13:31:37 +0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: <18FB78EB-B93F-4E03-8DCC-83294133C323@obsigna.com> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Aug 2016 05:31:47 -0000 On 12/08/2016 8:20 AM, Dr. Rolf Jansen wrote: >> Am 11.08.2016 um 14:20 schrieb Ian Smith : >> On Thu, 11 Aug 2016 10:09:24 -0300, Dr. Rolf Jansen wrote: >>>> Am 11.08.2016 um 08:06 schrieb Ian Smith : >>>> On Wed, 10 Aug 2016 -0300, Dr. Rolf Jansen wrote: >>>> ... >>>> ... >>>>> I just submitted a PR asking to add the new port 'sysutils/ipdbtools'. >>>>> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211744 >>>> Wonderful. >>> The port maintainers were really quick. The port has been accepted >>> and has been already committed. >> So it has, on refreshing the page. Smooth and fast. >> >> Re __uint128_t I _guess_ there may be macro/s to do that maths for i386? > Yeah, I am exploring the options. Comparisons, addition and subtraction are working already, multiplication, division and remainder operations are a tad more difficult, I must leave this for some weekend. > >>>> ... >>>> A more tech-savvy article than ABC or other news media managed so far: >>>> https://www.theguardian.com/australia-news/2016/aug/10/computer-says-no-australian-census-shambles-explanation-depends-on-who-you-ask >>> Well, I tend to believe that this has nothing to do with DoS attacks, >> Some should have been expected, planned for, mitigation anticipated, as >> well as expecting at least 5 times the legit connections/hr they tested >> for, and as the guardian article pointed to, their DNS was screwed in >> several ways: way too long TTL (can't move fast), hard-coded subdomain >> in SSL cert (couldn't readily add load-sharing capacity?) and such. >> >> But they admit the geo-blocking fell over - whether inline as firewall >> or on another server fielding lookup requests not disclosed - but they >> say that failure caused a/the/some router to fail (crash? explode? :) > Perhaps they did Geo-blocking in the way that I mentioned in the summary of the ipdbtool's manual to be a no-go: > > ... > Unfortunately, online database look-up is by far too slow for even think- > ing about being utilized on the firewall level, where IP packets need to > be processed in a microsecond time scale. Therefore, a locally maintained > IP Geo-location database is indispensable in the given respect. > ... > >> IBM, FFS! but they'll point to govt specs and disclaim hardware failure >> but still it's not great product endorsement for their SoftLayer Cloud. > Natural but non-professional reaction. My mother always told us, if you point > with your index finger to others, three fingers are pointing back to you. > So IBM not only failed technically but also the PR devision did a bad job. > >>> I mean, of course it is DoS, but not caused by an attack. Exactly the >>> same happens every year on 30th of April between 17:00 and 24:00 on >>> the servers of the Federal Bureau of Finance here in Brazil. That is >>> the deadline for the online-submission of the annual tax declaration >>> of the Brazilian citizens. Seems that the bureaucrats all over the >>> world share the same deficiency of creative problem solving. >> Seems it's a requirement for the job, world wide. Creativity is scary, >> but you think they could guess that ~8 million households in the eastern >> timezone were going to have dinner then do their census within ~2 hours. > Of course they could not guess this, because public servants are trained > to assume that the normal citizen does not meet her/his obligations, and > for sure they were (are) prepared to send out 8 million penalty notices > in 24 hours. Actually we have until mid September to lodge the information, but if you forget who was at you rplace that evening (guests?) then it makes sense to do it earlier rather than later. >>> Who in the bureaucrats hell told them to go with one deadline for >>> everybody? For the census in Australia, I would have told the >>> citizens that everybody got an individual deadline which is his or >>> her birthday in 2016 -- problem solved. see above.. it's a 6 week window from memory. >> That'd be great load-balancing .. shall I let them know? :) > Doesn't cost anything giving it a try, however, you could as well slap an > ox on his horn - same effect. > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > From owner-freebsd-ipfw@freebsd.org Fri Aug 12 06:49:41 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 313C7BB7D79 for ; Fri, 12 Aug 2016 06:49:41 +0000 (UTC) (envelope-from garmitage@swin.edu.au) Received: from gpo2.cc.swin.edu.au (gpo2.cc.swin.edu.au [136.186.1.31]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id AC8211C29 for ; Fri, 12 Aug 2016 06:49:40 +0000 (UTC) (envelope-from garmitage@swin.edu.au) Received: from [136.186.229.37] (garmitage.caia.swin.edu.au [136.186.229.37]) by gpo2.cc.swin.edu.au (8.14.3/8.14.3) with ESMTP id u7C6nabo001353 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Fri, 12 Aug 2016 16:49:37 +1000 Subject: Re: your thoughts on a particualar ipfw action. To: freebsd-ipfw@freebsd.org References: <20160805024301.H56585@sola.nimnet.asn.au> <7486c7ce-49db-b6b9-a6bb-13f04b4ce6d6@freebsd.org> <242DF6D8-4287-43BF-BE9F-CE1665D31ED2@obsigna.com> <9D024314-57A2-4079-B630-FB0D844DD5B5@obsigna.com> <1123ab7a-3365-d059-7d53-862d4edafe7e@freebsd.org> From: grenville armitage Message-ID: <57AD7180.2060609@swin.edu.au> Date: Fri, 12 Aug 2016 16:49:36 +1000 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:38.0) Gecko/20100101 Thunderbird/38.7.1 MIME-Version: 1.0 In-Reply-To: <1123ab7a-3365-d059-7d53-862d4edafe7e@freebsd.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Aug 2016 06:49:41 -0000 On 08/12/2016 14:56, Julian Elischer wrote: > On 11/08/2016 9:02 AM, Dr. Rolf Jansen wrote: >> [...] >> >> I needed to change the name of the geoip tool, because GeoIP=C2=AE is = a registered trademark of MaxMind, Inc., see www.maxmind.com. The name of= the tool is now 'ipup' =3D abbreviated form of IP geo location table ge= neration and look- UP , that is without the boring middle part :-D > Hmm I'd have gone for geotable. ipup sounds like a young dog produced b= y Apple. > (wonder if one can change the name of a port) +1 FWIW. cheers, gja From owner-freebsd-ipfw@freebsd.org Fri Aug 12 09:48:27 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9ED59BB7523 for ; Fri, 12 Aug 2016 09:48:27 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 21C40152D for ; Fri, 12 Aug 2016 09:48:26 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id u7C9mMPo090665; Fri, 12 Aug 2016 19:48:22 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Fri, 12 Aug 2016 19:48:22 +1000 (EST) From: Ian Smith To: grenville armitage cc: freebsd-ipfw@freebsd.org Subject: Re: your thoughts on a particualar ipfw action. In-Reply-To: <57AD7180.2060609@swin.edu.au> Message-ID: <20160812184408.G79687@sola.nimnet.asn.au> References: <20160805024301.H56585@sola.nimnet.asn.au> <7486c7ce-49db-b6b9-a6bb-13f04b4ce6d6@freebsd.org> <242DF6D8-4287-43BF-BE9F-CE1665D31ED2@obsigna.com> <9D024314-57A2-4079-B630-FB0D844DD5B5@obsigna.com> <1123ab7a-3365-d059-7d53-862d4edafe7e@freebsd.org> <57AD7180.2060609@swin.edu.au> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: 8BIT X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Aug 2016 09:48:27 -0000 On Fri, 12 Aug 2016 16:49:36 +1000, grenville armitage wrote: > On 08/12/2016 14:56, Julian Elischer wrote: > > On 11/08/2016 9:02 AM, Dr. Rolf Jansen wrote: > >> > [...] > >> > >> I needed to change the name of the geoip tool, because GeoIP® is a > registered trademark of MaxMind, Inc., see www.maxmind.com. The name of the > tool is now 'ipup' = abbreviated form of IP geo location table generation > and look- UP , that is without the boring middle part :-D > > Hmm I'd have gone for geotable. ipup sounds like a young dog produced by > > Apple. > > (wonder if one can change the name of a port) :) The Sony Aibo had the robotic dog genre pretty well covered. > +1 FWIW. Portname is sysutils/ipdbtools which sounds ok, so it's only one program could be renamed (again). The port is young enough that it wouldn't be likely to inconvenience anybody much - except Rolf! - at this stage. cheers, Ian