From owner-freebsd-ipfw@freebsd.org Wed Jul 27 21:15:42 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3227FBA60AD for ; Wed, 27 Jul 2016 21:15:42 +0000 (UTC) (envelope-from rj@obsigna.com) Received: from mo6-p00-ob.smtp.rzone.de (mo6-p00-ob.smtp.rzone.de [IPv6:2a01:238:20a:202:5300::9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.smtp.rzone.de", Issuer "TeleSec ServerPass DE-2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B79851792 for ; Wed, 27 Jul 2016 21:15:41 +0000 (UTC) (envelope-from rj@obsigna.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1469654138; l=2810; s=domk; d=obsigna.com; h=To:References:Content-Transfer-Encoding:Cc:Date:In-Reply-To:From: Subject:Mime-Version:Content-Type; bh=zwm7xOuROwOhHvUaFF0eGTTOQ/hT1FoOgAgxsKbSDrY=; b=ZX8Xw5GGi1+Nf2FC74D4u0IGOeaYnVAcSLJSFrwbWTh26llJydQOuPjFwTIraDYh9h+ YDj1Nhhg+jCwTF/HxxJ2xG/NfEh6bjZjyt2b+9dNSQIvwANpKMR/tfOk/Cecv9tvsti6S 2gWUEQEEkWncwjuD5FJR79OAcCKwofamNqo= X-RZG-AUTH: :O2kGeEG7b/pS1EK7WHa0hxqKZr4lnx6UhToX1IWHkW4X7v2ImaU2BqdKi+qzhvjYXRln X-RZG-CLASS-ID: mo00 Received: from mail.obsigna.com (bb02b159.virtua.com.br [187.2.177.89]) by smtp.strato.de (RZmta 38.13 DYNA|AUTH) with ESMTPSA id 30a584s6RLFbfV9 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (curve secp521r1 with 521 ECDH bits, eq. 15360 bits RSA)) (Client did not present a certificate); Wed, 27 Jul 2016 23:15:37 +0200 (CEST) Received: from rolf.projectworld.net (rolf.projectworld.net [192.168.222.25]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.obsigna.com (Postfix) with ESMTPSA id 40336229861E; Wed, 27 Jul 2016 18:15:34 -0300 (BRT) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) Subject: Re: ipfw divert filter for IPv4 geo-blocking From: "Dr. Rolf Jansen" In-Reply-To: Date: Wed, 27 Jul 2016 18:15:33 -0300 Cc: olli hauer Content-Transfer-Encoding: quoted-printable Message-Id: References: <61DFB3E2-6E34-4EEA-8AC6-70094CEACA72@cyclaero.com> <4D047727-F7D0-4BEE-BD42-2501F44C9550@obsigna.com> <9641D08A-0501-4AA2-9DF6-D5AFE6CB2975@obsigna.com> <4d76a492-17ae-cbff-f92f-5bbbb1339aad@freebsd.org> To: freebsd-ipfw@freebsd.org X-Mailer: Apple Mail (2.3124) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Jul 2016 21:15:42 -0000 > Am 27.07.2016 um 17:08 schrieb olli hauer : > On 2016-07-27 15:36, Dr. Rolf Jansen wrote: >>=20 >> I finished adding a second usage form for the geoip tool, namely = generation of ipfw table construction directives filtered by country = codes. >>=20 >> ______________ >> $ geoip -h >> geoip v1.0.1 (16), Copyright =C2=A9 2016 Dr. Rolf Jansen >>=20 >> Usage: >>=20 >> 1) look-up the country code belonging to an IPv4 address given by the = last command line argument: >>=20 >> geoip [-r bstfile] [-h] >> a dotted IPv4 address to be looked-up. >>=20 >> 2) generate a sorted list of IPv4 address/masklen pairs per country = code, formatted as ipfw table construction directives: >>=20 >> geoip -t [CC:DD:EE:..] [-n table number] [-v table value] [-r = bstfile] [-h] >>=20 >> -t [CC:DD:EE:..] output all IPv4 address/masklen pairs = belonging to the listed countries, given by 2 letter >> capital country codes, separated by colon. An = empty CC list means any country code. >> -n table number the ipfw table number between 0 and 65534 = [default: 0]. >> -v table value the 32-bit unsigned value of the ipfw table = entry [default: 0]. >>=20 >> valid arguments in both usage forms: >>=20 >> -r bstfile the path to the binary file with the = consolidated IP ranges that has been. >> generated by the 'ipdb' tool [default: = /usr/local/etc/ipdb/IPRanges/ipcc.bst]. >> -h show these usage instructions. >> ______________ >>=20 >> With that, the ipfw configuration script may contain something alike: >>=20 >> =E2=80=A6 >> # allow only web access from DE, BR, US: >> /usr/local/bin/geoip -t DE:BR:US -n 7 | /sbin/ipfw -q /dev/stdin >> /sbin/ipfw -q add 70 deny tcp from not table\(7\) to any 80,443 in = recv WAN_if setup >> =E2=80=A6 >>=20 >> OR, the other way around: >> =E2=80=A6 >> # deny web access from certain disgraceful regions: >> /usr/local/bin/geoip -t KO:TR:SA:RU:GB -n 66 | /sbin/ipfw -q = /dev/stdin >> /sbin/ipfw -q add 70 allow tcp from not table\(66\) to any 80,443 = in recv WAN_if setup >> =E2=80=A6 >> ____________ >=20 > Nice work :) >=20 > Now it is also possible to use geoip to create files usable for pf. > (just pipe the output through sed -e 's/table 0 add //') >=20 > Perhaps the following diff for Makefile is useful. > - use PREFIX instead hard coded path > - use "install -s" instead "strip -x -o" > - use "install -m" instead "cp ; chmod" I changed the Makefile according to your suggestions, and I added = another command line option to the geoip tool: =E2=80=A6 -p plain IP table generation, i.e. without ipfw construction = directives, -n and -v flags are ignored. =E2=80=A6 The changes are already uploaded to GitHub. Best regards Rolf