From owner-freebsd-ipfw@freebsd.org Thu Aug 11 11:06:12 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AA1F3BB51F8 for ; Thu, 11 Aug 2016 11:06:12 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1BF611B7D for ; Thu, 11 Aug 2016 11:06:10 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id u7BB63Ir045130; Thu, 11 Aug 2016 21:06:04 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Thu, 11 Aug 2016 21:06:03 +1000 (EST) From: Ian Smith To: "Dr. Rolf Jansen" cc: freebsd-ipfw@freebsd.org Subject: Re: your thoughts on a particualar ipfw action. In-Reply-To: <9D024314-57A2-4079-B630-FB0D844DD5B5@obsigna.com> Message-ID: <20160811200425.F79687@sola.nimnet.asn.au> References: <20160805024301.H56585@sola.nimnet.asn.au> <7486c7ce-49db-b6b9-a6bb-13f04b4ce6d6@freebsd.org> <242DF6D8-4287-43BF-BE9F-CE1665D31ED2@obsigna.com> <9D024314-57A2-4079-B630-FB0D844DD5B5@obsigna.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: 8BIT X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Aug 2016 11:06:12 -0000 On Wed, 10 Aug 2016 -0300, Dr. Rolf Jansen wrote: (just curious: whereabouts is -0300? Brazil?) > > Am 08.08.2016 um 18:46 schrieb Dr. Rolf Jansen : >> I am almost finished with preparing the tools for geo-blocking and >> geo-routing at the firewall for submission to the FreeBSD ports. >> I created a man file for the tools, see: >> https://cyclaero.github.io/ipdb/, and I added the recent suggestions >> on rule number/action code per country code, namely, I changed the >> formula for the x-flag to the suggestion of Ian (value = offset + >> ((C1 - 'A')*26 + (C2 - 'A'))*10), and I added the idea of directly >> assigning a number to a country code in the argument for the t-flag >> ("CC=nnnnn:..."). Furthermore, I removed the divert filter daemon >> from the Makefile. The source is still on GitHub, though, and can be >> re-vamped if necessary. Now I am going to prepare the Makefile for >> the port. Terrific work, Rolf! Something for everyone, although I'm guessing the pf people are going to want a piece of the action, if they need any more than the -p option and a bit of scripting. > I just submitted a PR asking to add the new port 'sysutils/ipdbtools'. > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211744 Wonderful. > I needed to change the name of the geoip tool, because GeoIP® is a > registered trademark of MaxMind, Inc., see www.maxmind.com. The name I did wonder about that .. > of the tool is now 'ipup' = abbreviated form of IP geo location table > generation and look- UP , that is without the boring middle part :-D > > Those, who used geoip already in some scripts, please excuse the > inconvenience of needing to change the name. > With the great help of Julian, I was able to improve the man file and > the latest version can be read online: > > https://cyclaero.github.io/ipdb/ Nice manual and all. A few typos noted below (niggly Virgo proofreader) I must apologise for added exasperation earlier. I was tending towards conflating several other ipfw issues under discussion (named states, new state actions, and this). Sorry if I bumped you off course momentarily, though I don't seem to have slowed you down too much .. As a hopefully not unwelcome aside, it's a pity that IBM, of all people, couldn't manage geo-blocking successfully for the Australian Census the other night. Next time around we can offer them a working geo-blocking firewall/router for a good deal less than the AU$9.6M we've paid IBM :) Census: How the Government says the website meltdown unfolded: http://www.abc.net.au/news/2016-08-10/census-night-how-the-shambles-unfolded/7712964 A more tech-savvy article than ABC or other news media managed so far: https://www.theguardian.com/australia-news/2016/aug/10/computer-says-no-australian-census-shambles-explanation-depends-on-who-you-ask cheers, Ian ======= It is suitable for inclusion into cron. "for invocation by cron" maybe? ipdb_update.sh has IPRanges="/usr/local/etc/ipdb/IPRanges" but some (not all) mentions in the manpage use "IP-Ranges" with a hyphen, including the FILES section. Also the last one there repeats "*bst.v4" for IPv6. It's not quite clear how to specify an 'empty CC list'? ''? ""? either? "from certain [countries?] we don't like .." "piped into sort of [or?] a pre-processing command .." =======