From owner-freebsd-ipfw@freebsd.org Thu Aug 11 17:20:50 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5BC90BB5061 for ; Thu, 11 Aug 2016 17:20:50 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A9DF2198C for ; Thu, 11 Aug 2016 17:20:49 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id u7BHKdoF057821; Fri, 12 Aug 2016 03:20:39 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Fri, 12 Aug 2016 03:20:39 +1000 (EST) From: Ian Smith To: "Dr. Rolf Jansen" cc: freebsd-ipfw@freebsd.org Subject: Re: your thoughts on a particualar ipfw action. In-Reply-To: Message-ID: <20160812014005.V79687@sola.nimnet.asn.au> References: <20160805024301.H56585@sola.nimnet.asn.au> <7486c7ce-49db-b6b9-a6bb-13f04b4ce6d6@freebsd.org> <242DF6D8-4287-43BF-BE9F-CE1665D31ED2@obsigna.com> <9D024314-57A2-4079-B630-FB0D844DD5B5@obsigna.com> <20160811200425.F79687@sola.nimnet.asn.au> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Aug 2016 17:20:50 -0000 On Thu, 11 Aug 2016 10:09:24 -0300, Dr. Rolf Jansen wrote: > > Am 11.08.2016 um 08:06 schrieb Ian Smith : > > On Wed, 10 Aug 2016 -0300, Dr. Rolf Jansen wrote: > > > > (just curious: whereabouts is -0300? Brazil?) > > Yes, I am a German living in Brazil for more than 10 years now. BTW, > your mail provider is blocking my mails, perhaps, because the origin > is Brazil, but I am using a German provider for my mail transport. Oops. You should have mail from smithi@someisp about sorting that out? Cutting to recent: > > Terrific work, Rolf! Something for everyone, although I'm guessing the > > pf people are going to want a piece of the action, if they need any more > > than the -p option and a bit of scripting. > > It is not that much work, to add other output options. The main > obstacle for me is, that I won't be able to test it carefully > together with pf. So, it would be good to do this in cooperation with > someone who got a well running pf firewall -- the same holds for > other possible applications as well. Indeed. Once again I've suggested something I can't help with and know next to nothing about :) > >> I just submitted a PR asking to add the new port 'sysutils/ipdbtools'. > >> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211744 > > > > Wonderful. > > The port maintainers were really quick. The port has been accepted > and has been already committed. So it has, on refreshing the page. Smooth and fast. Re __uint128_t I _guess_ there may be macro/s to do that maths for i386? > >> With the great help of Julian, I was able to improve the man file and > >> the latest version can be read online: > >> > >> https://cyclaero.github.io/ipdb/ > > > > Nice manual and all. A few typos noted below (niggly Virgo proofreader) > > I was tempted to get these last changes into my PR, but I am sorry, Not at all; nothing that might confuse or deter anybody .. niggles. > it was too late for the initial release. I committed the corrected > man file to the GitHub repository, though, it will automatically go > into the next release of the ipdbtools, perhaps together with some > additions for using it together with pf(8) and route(8). Great. Looking forward to having a play, albeit on a box not running any external services currently, to scope it out. > Nothing, to be sorry about. I like discussions. Ok, no sorrow either way .. > > As a hopefully not unwelcome aside, it's a pity that IBM, of all people, > > couldn't manage geo-blocking successfully for the Australian Census the > > other night. Next time around we can offer them a working geo-blocking > > firewall/router for a good deal less than the AU$9.6M we've paid IBM :) > > > > Census: How the Government says the website meltdown unfolded: > > http://www.abc.net.au/news/2016-08-10/census-night-how-the-shambles-unfolded/7712964 > > > > A more tech-savvy article than ABC or other news media managed so far: > > https://www.theguardian.com/australia-news/2016/aug/10/computer-says-no-australian-census-shambles-explanation-depends-on-who-you-ask > > Well, I tend to believe that this has nothing to do with DoS attacks, Some should have been expected, planned for, mitigation anticipated, as well as expecting at least 5 times the legit connections/hr they tested for, and as the guardian article pointed to, their DNS was screwed in several ways: way too long TTL (can't move fast), hard-coded subdomain in SSL cert (couldn't readily add load-sharing capacity?) and such. But they admit the geo-blocking fell over - whether inline as firewall or on another server fielding lookup requests not disclosed - but they say that failure caused a/the/some router to fail (crash? explode? :) IBM, FFS! but they'll point to govt specs and disclaim hardware failure but still it's not great product endorsement for their SoftLayer Cloud. > I mean, of course it is DoS, but not caused by an attack. Exactly the > same happens every year on 30th of April between 17:00 and 24:00 on > the servers of the Federal Bureau of Finance here in Brazil. That is > the deadline for the online-submission of the annual tax declaration > of the Brazilian citizens. Seems that the bureaucrats all over the > world share the same deficiency of creative problem solving. Seems it's a requirement for the job, world wide. Creativity is scary, but you think they could guess that ~8 million households in the eastern timezone were going to have dinner then do their census within ~2 hours. > Who in the bureaucrats hell told them to go with one deadline for > everybody? For the census in Australia, I would have told the > citizens that everybody got an individual deadline which is his or > her birthday in 2016 -- problem solved. That'd be great load-balancing .. shall I let them know? :) > > It's not quite clear how to specify an 'empty CC list'? ''? ""? either? > > Well, in the Synopsis and in the description of the second usage form > there was already ... | "". Now, I clarified this in the description > as well as follows: > > "An empty CC list (denoted by "") means any country code." Clearer; my old browser was rendering "" to look like '"' ie misspaced. > As already said, the corrections are not part of the initial release > into the FreeBSD ports, for this one it was too late. The man file on > GitHub is corrected already. > > Best regards > > Rolf All good. Even better when I find what's blocking your host|IP. cheers, Ian