Date: Fri, 29 Jul 2016 16:00:24 +1000 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: "Dr. Rolf Jansen" <rj@obsigna.com> Cc: freebsd-ipfw@freebsd.org, Julian Elischer <julian@freebsd.org> Subject: Re: ipfw divert filter for IPv4 geo-blocking Message-ID: <20160729151802.X29054@sola.nimnet.asn.au> In-Reply-To: <0D3C9016-7A4A-46BA-B35F-3844D07562A8@obsigna.com> References: <61DFB3E2-6E34-4EEA-8AC6-70094CEACA72@cyclaero.com> <CAHu1Y739PvFqqEKE74BjzgLa7NNG6Kh55NPnU5MaA-8HsrjkFw@mail.gmail.com> <4D047727-F7D0-4BEE-BD42-2501F44C9550@obsigna.com> <c2cd797d-66db-8673-af4e-552dfa916a76@freebsd.org> <9641D08A-0501-4AA2-9DF6-D5AFE6CB2975@obsigna.com> <4d76a492-17ae-cbff-f92f-5bbbb1339aad@freebsd.org> <C0CC7001-16FE-40BF-A96A-1FA51A0AFBA7@obsigna.com> <677900fb-c717-743f-fcfe-86b603466e33@freebsd.org> <0D3C9016-7A4A-46BA-B35F-3844D07562A8@obsigna.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 28 Jul 2016 23:21:01 -0300, Dr. Rolf Jansen wrote: > Am 27.07.2016 um 12:31 schrieb Julian Elischer <julian@freebsd.org>: [..] >> wow, wonderful! >> with that tool, and ipfw tables we have a fully functional geo >> blocking/munging solution in about 4 lines of shell script. > Unfortunately, I finally discovered that ipfw tables as they are, are > unsuitable for the given purpose, because for some reason ipfw > mangles about 20 % of the passed IP address/masklen pairs. > For example: > # ipfw table 1 add 201.222.20.0/20 > # ipfw table 1 list > --> 201.222.16.0/20 0 > $ geoip 201.222.20.1 > --> 201.222.20.1 in 201.222.20.0-201.222.31.255 in BR > $ geoip 201.222.16.1 > --> 201.222.16.1 in 201.222.16.0-201.222.19.255 in AR Just to add to what Julian and Lee observed, testing IPs at <http://www.viewdns.info/whois/?domain=201.222.20.1> (sourced from LACNIC thence whois.registro.br) inetnum: 201.222.20/22 aut-num: AS61902 abuse-c: CSJ45 owner: Bahialink - Technology ownerid: 004.724.687/0001-69 country: BR So the geoip result for 201.222.20.1 is just wrong - it should return 201.222.20.0 - 201.222.23.255 (ie, /22) and not 201.222.16.0 - 201.222.31.255 (ie, /20) While the range for 201.222.16.1 is in fact a /22: <http://www.viewdns.info/whois/?domain=201.222.16.1> [..] inetnum: 201.222.16/22 status: allocated aut-num: N/A owner: G2KHosting S.A. ownerid: AR-GKSA-LACNIC responsible: Mauro Ferraro address: Maipu, 33, address: 2900 - San Nicolas de los Arroyos - BA country: AR > Effectively, I asked ipfw to add an IP-range of Brazil to table 1, > but it actually added another one which belongs to Argentina. This > doesn't make too much sense, does it? Not if geoip is returning the wrong address range for 201.222.20.1, no. > For the time being I switched my servers back to geo-blocking with > the divert filter daemon. I don't know what's wrong or where, just that it is .. How are you getting from geoip's IP range to /maskbits? cheers, Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20160729151802.X29054>