From owner-freebsd-ipfw@freebsd.org Wed Jul 27 15:31:16 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id ADA4BBA2C1B for ; Wed, 27 Jul 2016 15:31:16 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "vps1.elischer.org", Issuer "CA Cert Signing Authority" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 933DA1EA1 for ; Wed, 27 Jul 2016 15:31:16 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from Julian-MBP3.local (ppp121-45-233-115.lns20.per1.internode.on.net [121.45.233.115]) (authenticated bits=0) by vps1.elischer.org (8.15.2/8.15.2) with ESMTPSA id u6RFVAAq072130 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Wed, 27 Jul 2016 08:31:13 -0700 (PDT) (envelope-from julian@freebsd.org) Subject: Re: ipfw divert filter for IPv4 geo-blocking To: "Dr. Rolf Jansen" , freebsd-ipfw@freebsd.org References: <61DFB3E2-6E34-4EEA-8AC6-70094CEACA72@cyclaero.com> <4D047727-F7D0-4BEE-BD42-2501F44C9550@obsigna.com> <9641D08A-0501-4AA2-9DF6-D5AFE6CB2975@obsigna.com> <4d76a492-17ae-cbff-f92f-5bbbb1339aad@freebsd.org> From: Julian Elischer Message-ID: <677900fb-c717-743f-fcfe-86b603466e33@freebsd.org> Date: Wed, 27 Jul 2016 23:31:04 +0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Jul 2016 15:31:16 -0000 On 27/07/2016 9:36 PM, Dr. Rolf Jansen wrote: >> Am 26.07.2016 um 23:03 schrieb Julian Elischer : >> On 27/07/2016 3:06 AM, Dr. Rolf Jansen wrote: >>> There is another tool called geoip , that I uploaded to GitHub, and that I use for looking up country codes by IP addresses on the command line. >>> >>> https://github.com/cyclaero/ipdb/blob/master/geoip.c >>> >>> This one could easily be extended to produce sorted IP ranges per CC that could be fed into tables of ipfw. I am thinking of adding a command line option for specifying CC's for which the IP ranges should be exported, something like: >>> >>> geoip -e DE:BR:US:IT:FR:ES >>> >>> And this could print sorted IP-Ranges belonging to the listed countries. For this purpose, what would be the ideal format for directly feeding the produced output into ipfw tables? >> The format for using tables directly is the same as that used for routing tables. >> … >> table 5 add 1.1.1.0/32 1000 >> … >> your application becomes an application for configuring the firewall. >> (which you do by feeding commands down a pipe to ipfw, which is started as 'ipfw -q /dev/stdin') > I finished adding a second usage form for the geoip tool, namely generation of ipfw table construction directives filtered by country codes. wow, wonderful! with that tool, and ipfw tables we have a fully functional geo blocking/munging solution in about 4 lines of shell script. > ______________ > $ geoip -h > geoip v1.0.1 (16), Copyright © 2016 Dr. Rolf Jansen > > Usage: > > 1) look-up the country code belonging to an IPv4 address given by the last command line argument: > > geoip [-r bstfile] [-h] > a dotted IPv4 address to be looked-up. > > 2) generate a sorted list of IPv4 address/masklen pairs per country code, formatted as ipfw table construction directives: > > geoip -t [CC:DD:EE:..] [-n table number] [-v table value] [-r bstfile] [-h] > > -t [CC:DD:EE:..] output all IPv4 address/masklen pairs belonging to the listed countries, given by 2 letter > capital country codes, separated by colon. An empty CC list means any country code. > -n table number the ipfw table number between 0 and 65534 [default: 0]. > -v table value the 32-bit unsigned value of the ipfw table entry [default: 0]. > > valid arguments in both usage forms: > > -r bstfile the path to the binary file with the consolidated IP ranges that has been. > generated by the 'ipdb' tool [default: /usr/local/etc/ipdb/IPRanges/ipcc.bst]. > -h show these usage instructions. > ______________ > > With that, the ipfw configuration script may contain something alike: > > … > # allow only web access from DE, BR, US: > /usr/local/bin/geoip -t DE:BR:US -n 7 | /sbin/ipfw -q /dev/stdin > /sbin/ipfw -q add 70 deny tcp from not table\(7\) to any 80,443 in recv WAN_if setup > … > > OR, the other way around: > … > # deny web access from certain disgraceful regions: > /usr/local/bin/geoip -t KO:TR:SA:RU:GB -n 66 | /sbin/ipfw -q /dev/stdin > /sbin/ipfw -q add 70 allow tcp from not table\(66\) to any 80,443 in recv WAN_if setup > … > ____________ > > > Best regards > > Rolf > > > >