From owner-freebsd-ipfw@freebsd.org Fri Jul 29 02:21:12 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B2CA6BA6E7A for ; Fri, 29 Jul 2016 02:21:12 +0000 (UTC) (envelope-from rj@obsigna.com) Received: from mo6-p00-ob.smtp.rzone.de (mo6-p00-ob.smtp.rzone.de [IPv6:2a01:238:20a:202:5300::3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.smtp.rzone.de", Issuer "TeleSec ServerPass DE-2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 2C6951BC2; Fri, 29 Jul 2016 02:21:11 +0000 (UTC) (envelope-from rj@obsigna.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1469758868; l=2377; s=domk; d=obsigna.com; h=To:References:Content-Transfer-Encoding:Cc:Date:In-Reply-To:From: Subject:Mime-Version:Content-Type; bh=iLdAmQmHGRqG71qGeIyhytGU3qn8J8IXXD9QgL4bpz4=; b=jiljdxL5lPFgoYnn3JsPBIbXroi9/B96C4hG3S67jFKWFrkolNRM0fszbj6oUKEY9fE 35bUbQogWvO+UAUO4dDXvcmpn9D5V4WlHeqVewHYOSIS+H6+ZtNhBupCCkE7O2V46dnRU LB0NkWfujMDPtoLay++Uvdt1KlB5us0xEtU= X-RZG-AUTH: :O2kGeEG7b/pS1EK7WHa0hxqKZr4lnx6UhToX1IWHkW4X7v2ImaU2BqdKi+qzhvjYXRln X-RZG-CLASS-ID: mo00 Received: from mail.obsigna.com (bb02b159.virtua.com.br [187.2.177.89]) by smtp.strato.de (RZmta 38.13 DYNA|AUTH) with ESMTPSA id k071c4s6T2L6r5q (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (curve secp521r1 with 521 ECDH bits, eq. 15360 bits RSA)) (Client did not present a certificate); Fri, 29 Jul 2016 04:21:06 +0200 (CEST) Received: from rolf.projectworld.net (rolf.projectworld.net [192.168.222.25]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.obsigna.com (Postfix) with ESMTPSA id 0ED20229861E; Thu, 28 Jul 2016 23:21:02 -0300 (BRT) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) Subject: Re: ipfw divert filter for IPv4 geo-blocking From: "Dr. Rolf Jansen" In-Reply-To: <677900fb-c717-743f-fcfe-86b603466e33@freebsd.org> Date: Thu, 28 Jul 2016 23:21:01 -0300 Cc: Julian Elischer Content-Transfer-Encoding: quoted-printable Message-Id: <0D3C9016-7A4A-46BA-B35F-3844D07562A8@obsigna.com> References: <61DFB3E2-6E34-4EEA-8AC6-70094CEACA72@cyclaero.com> <4D047727-F7D0-4BEE-BD42-2501F44C9550@obsigna.com> <9641D08A-0501-4AA2-9DF6-D5AFE6CB2975@obsigna.com> <4d76a492-17ae-cbff-f92f-5bbbb1339aad@freebsd.org> <677900fb-c717-743f-fcfe-86b603466e33@freebsd.org> To: freebsd-ipfw@freebsd.org X-Mailer: Apple Mail (2.3124) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Jul 2016 02:21:12 -0000 > Am 27.07.2016 um 12:31 schrieb Julian Elischer : > On 27/07/2016 9:36 PM, Dr. Rolf Jansen wrote: >>> Am 26.07.2016 um 23:03 schrieb Julian Elischer : >>> On 27/07/2016 3:06 AM, Dr. Rolf Jansen wrote: >>>> There is another tool called geoip , that I uploaded to GitHub, and = that I use for looking up country codes by IP addresses on the command = line. >>>>=20 >>>> https://github.com/cyclaero/ipdb/blob/master/geoip.c >>>>=20 >>>> This one could easily be extended to produce sorted IP ranges per = CC that could be fed into tables of ipfw. I am thinking of adding a = command line option for specifying CC's for which the IP ranges should = be exported, something like: >>>>=20 >>>> geoip -e DE:BR:US:IT:FR:ES >>>>=20 >>>> And this could print sorted IP-Ranges belonging to the listed = countries. For this purpose, what would be the ideal format for directly = feeding the produced output into ipfw tables? >>> The format for using tables directly is the same as that used for = routing tables. >>> =E2=80=A6 >>> table 5 add 1.1.1.0/32 1000 >>> =E2=80=A6 >>> your application becomes an application for configuring the = firewall. >>> (which you do by feeding commands down a pipe to ipfw, which is = started as 'ipfw -q /dev/stdin') >> I finished adding a second usage form for the geoip tool, namely = generation of ipfw table construction directives filtered by country = codes. > wow, wonderful! >=20 > with that tool, and ipfw tables we have a fully functional geo = blocking/munging solution in about 4 lines of shell script. Unfortunately, I finally discovered that ipfw tables as they are, are = unsuitable for the given purpose, because for some reason ipfw mangles = about 20 % of the passed IP address/masklen pairs. For example: # ipfw table 1 add 201.222.20.0/20 # ipfw table 1 list --> 201.222.16.0/20 0 $ geoip 201.222.20.1 --> 201.222.20.1 in 201.222.20.0-201.222.31.255 in BR $ geoip 201.222.16.1 --> 201.222.16.1 in 201.222.16.0-201.222.19.255 in AR Effectively, I asked ipfw to add an IP-range of Brazil to table 1, but = it actually added another one which belongs to Argentina. This doesn't = make too much sense, does it? For the time being I switched my servers back to geo-blocking with the = divert filter daemon. Best regards Rolf