From owner-freebsd-ipfw@freebsd.org Thu Aug 11 13:09:33 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AB30DBB478A for ; Thu, 11 Aug 2016 13:09:33 +0000 (UTC) (envelope-from rj@obsigna.com) Received: from mo6-p00-ob.smtp.rzone.de (mo6-p00-ob.smtp.rzone.de [IPv6:2a01:238:20a:202:5300::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.smtp.rzone.de", Issuer "TeleSec ServerPass DE-2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 46CE815CE for ; Thu, 11 Aug 2016 13:09:32 +0000 (UTC) (envelope-from rj@obsigna.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1470920969; l=6141; s=domk; d=obsigna.com; h=To:References:Content-Transfer-Encoding:Date:In-Reply-To:From: Subject:Mime-Version:Content-Type; bh=XslWr8YFxw6xoCfpIZb3oYXweFMo14iR55xSm8otLwQ=; b=t+d55ylzCuHyU2x4/sAskTX0Jg8gSlazQ9R72avSI40v61pW+dTDR8OiMMN6H+WHkoM esdhizLnz1NowGtzsa2o2tWrpTSsO1NDAQNY9iGz5fu+5llaV+ECC4DLg52PkSDhkwYg+ G4HUESqAcesyQPuE2RhqSAgavz0yZZ3gSaY= X-RZG-AUTH: :O2kGeEG7b/pS1EK7WHa0hxqKZr4lnx6UhToX1IWHkW4X7v2ImaU2B+3KSGnPFnK+130WokEw X-RZG-CLASS-ID: mo00 Received: from mail.obsigna.com (bfb6bdb7.virtua.com.br [191.182.189.183]) by smtp.strato.de (RZmta 38.13 DYNA|AUTH) with ESMTPSA id u0a0b2s7BD9S1Vn (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (curve secp521r1 with 521 ECDH bits, eq. 15360 bits RSA)) (Client did not present a certificate) for ; Thu, 11 Aug 2016 15:09:28 +0200 (CEST) Received: from rolf.projectworld.net (rolf.projectworld.net [192.168.222.25]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.obsigna.com (Postfix) with ESMTPSA id 43C6B229861E for ; Thu, 11 Aug 2016 10:09:25 -0300 (BRT) Content-Type: text/plain; charset=iso-8859-1 Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) Subject: Re: your thoughts on a particualar ipfw action. From: "Dr. Rolf Jansen" In-Reply-To: <20160811200425.F79687@sola.nimnet.asn.au> Date: Thu, 11 Aug 2016 10:09:24 -0300 Content-Transfer-Encoding: quoted-printable Message-Id: References: <20160805024301.H56585@sola.nimnet.asn.au> <7486c7ce-49db-b6b9-a6bb-13f04b4ce6d6@freebsd.org> <242DF6D8-4287-43BF-BE9F-CE1665D31ED2@obsigna.com> <9D024314-57A2-4079-B630-FB0D844DD5B5@obsigna.com> <20160811200425.F79687@sola.nimnet.asn.au> To: freebsd-ipfw@freebsd.org X-Mailer: Apple Mail (2.3124) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Aug 2016 13:09:33 -0000 > Am 11.08.2016 um 08:06 schrieb Ian Smith : > On Wed, 10 Aug 2016 -0300, Dr. Rolf Jansen wrote: >=20 > (just curious: whereabouts is -0300? Brazil?) Yes, I am a German living in Brazil for more than 10 years now. BTW, = your mail provider is blocking my mails, perhaps, because the origin is = Brazil, but I am using a German provider for my mail transport. >>> Am 08.08.2016 um 18:46 schrieb Dr. Rolf Jansen : >>> I am almost finished with preparing the tools for geo-blocking and=20= >>> geo-routing at the firewall for submission to the FreeBSD ports. >=20 >>> I created a man file for the tools, see:=20 >>> https://cyclaero.github.io/ipdb/, and I added the recent suggestions=20= >>> on rule number/action code per country code, namely, I changed the=20= >>> formula for the x-flag to the suggestion of Ian (value =3D offset +=20= >>> ((C1 - 'A')*26 + (C2 - 'A'))*10), and I added the idea of directly=20= >>> assigning a number to a country code in the argument for the t-flag=20= >>> ("CC=3Dnnnnn:..."). Furthermore, I removed the divert filter daemon=20= >>> from the Makefile. The source is still on GitHub, though, and can be=20= >>> re-vamped if necessary. Now I am going to prepare the Makefile for >>> the port. >=20 > Terrific work, Rolf! Something for everyone, although I'm guessing = the=20 > pf people are going to want a piece of the action, if they need any = more=20 > than the -p option and a bit of scripting. It is not that much work, to add other output options. The main obstacle = for me is, that I won't be able to test it carefully together with pf. = So, it would be good to do this in cooperation with someone who got a = well running pf firewall -- the same holds for other possible = applications as well. >> I just submitted a PR asking to add the new port = 'sysutils/ipdbtools'. >> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D211744 >=20 > Wonderful. The port maintainers were really quick. The port has been accepted and = has been already committed. >> I needed to change the name of the geoip tool, because GeoIP=AE is a >> registered trademark of MaxMind, Inc., see www.maxmind.com. The name=20= >=20 > I did wonder about that .. >=20 >> of the tool is now 'ipup' =3D abbreviated form of IP geo location = table=20 >> generation and look- UP , that is without the boring middle part :-D >>=20 >> Those, who used geoip already in some scripts, please excuse the >> inconvenience of needing to change the name. >=20 >> With the great help of Julian, I was able to improve the man file and >> the latest version can be read online: >>=20 >> https://cyclaero.github.io/ipdb/ >=20 > Nice manual and all. A few typos noted below (niggly Virgo = proofreader) I was tempted to get these last changes into my PR, but I am sorry, it = was too late for the initial release. I committed the corrected man file = to the GitHub repository, though, it will automatically go into the next = release of the ipdbtools, perhaps together with some additions for using = it together with pf(8) and route(8). > I must apologise for added exasperation earlier. I was tending = towards=20 > conflating several other ipfw issues under discussion (named states, = new=20 > state actions, and this). Sorry if I bumped you off course = momentarily,=20 > though I don't seem to have slowed you down too much .. Nothing, to be sorry about. I like discussions. > As a hopefully not unwelcome aside, it's a pity that IBM, of all = people,=20 > couldn't manage geo-blocking successfully for the Australian Census = the=20 > other night. Next time around we can offer them a working = geo-blocking=20 > firewall/router for a good deal less than the AU$9.6M we've paid IBM = :) >=20 > Census: How the Government says the website meltdown unfolded: > = http://www.abc.net.au/news/2016-08-10/census-night-how-the-shambles-unfold= ed/7712964 >=20 > A more tech-savvy article than ABC or other news media managed so far: > = https://www.theguardian.com/australia-news/2016/aug/10/computer-says-no-au= stralian-census-shambles-explanation-depends-on-who-you-ask Well, I tend to believe that this has nothing to do with DoS attacks, I = mean, of course it is DoS, but not caused by an attack. Exactly the same = happens every year on 30th of April between 17:00 and 24:00 on the = servers of the Federal Bureau of Finance here in Brazil. That is the = deadline for the online-submission of the annual tax declaration of the = Brazilian citizens. Seems that the bureaucrats all over the world share = the same deficiency of creative problem solving. Who in the bureaucrats hell told them to go with one deadline for = everybody? For the census in Australia, I would have told the citizens = that everybody got an individual deadline which is his or her birthday = in 2016 -- problem solved. > =3D=3D=3D=3D=3D=3D=3D >=20 > It is suitable for inclusion into cron. "for invocation by cron" = maybe? OK, "invocation by" sounds better (for me) > ipdb_update.sh has IPRanges=3D"/usr/local/etc/ipdb/IPRanges" but some = (not=20 > all) mentions in the manpage use "IP-Ranges" with a hyphen, including=20= > the FILES section. Also the last one there repeats "*bst.v4" for = IPv6. OK, corrected > It's not quite clear how to specify an 'empty CC list'? ''? ""? = either? Well, in the Synopsis and in the description of the second usage form = there was already ... | "". Now, I clarified this in the description as = well as follows: "An empty CC list (denoted by "") means any country code." > "from certain [countries?] we don't like .." OK > "piped into sort of [or?] a pre-processing command .." OK, I removed "sort of", leaving "... piped into a pre-processing = command ..." >=20 > =3D=3D=3D=3D=3D=3D=3D As already said, the corrections are not part of the initial release = into the FreeBSD ports, for this one it was too late. The man file on = GitHub is corrected already. Best regards Rolf