From owner-freebsd-ipfw@freebsd.org Thu Jul 28 03:20:38 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4E58DBA6F53 for ; Thu, 28 Jul 2016 03:20:38 +0000 (UTC) (envelope-from ohauer@gmx.de) Received: from mout.gmx.net (mout.gmx.net [212.227.17.21]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mout.gmx.net", Issuer "TeleSec ServerPass DE-1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B8EFC1269 for ; Thu, 28 Jul 2016 03:20:36 +0000 (UTC) (envelope-from ohauer@gmx.de) Received: from [192.168.100.100] ([87.139.233.65]) by mail.gmx.com (mrgmx101) with ESMTPSA (Nemesis) id 0MLB89-1bSKkp0HeD-000Ozt; Thu, 28 Jul 2016 05:20:22 +0200 Subject: Re: ipfw divert filter for IPv4 geo-blocking To: freebsd-ipfw@freebsd.org References: <61DFB3E2-6E34-4EEA-8AC6-70094CEACA72@cyclaero.com> <4D047727-F7D0-4BEE-BD42-2501F44C9550@obsigna.com> <9641D08A-0501-4AA2-9DF6-D5AFE6CB2975@obsigna.com> <4d76a492-17ae-cbff-f92f-5bbbb1339aad@freebsd.org> Cc: "Dr. Rolf Jansen" Reply-To: freebsd-ipfw@freebsd.org From: olli hauer Message-ID: <49c5b646-e524-a1d2-1745-a03c43610819@gmx.de> Date: Thu, 28 Jul 2016 05:20:21 +0200 User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Provags-ID: V03:K0:7bwFGnglpGKnnNGHGBTYFvn+x+u5Zsh1C2fsOifqeX2t+Ad6fkA kBa6iWutv/xJO6RD8BaxkVKMM9gmE676avtxKIQOvzCdcrMkeB6grvFpP/mQsnXXXLdzqo6 8RNnP6V+sR90S7m8mrC9LRXozxFzLLQGMf/vivn2ZxuWHzmQKbx50R5PSGSBWwM1/4TV6u6 e/S8K5bv8djbmEGRo7IMA== X-UI-Out-Filterresults: notjunk:1;V01:K0:XlibDPsilDo=:1iFeJr6dTjZ+iFwNjxYycw A98hY3Eaj4P2DCHK0pyS3xzak9KGauB9g8+2dZwgVFe+3/sOrf+8eLwceKXkvHHrnCHzoqVmC XafXDA0Syom7tjfJ/Oeb4cFnGpbBIdxGqoB743LBCvM4f2DdW+b80+WzoxxNNPGI9vbQK5ykU Gt28RO4eRCnoMXE4RHz59yuP+m7YJrlUl+mB49T1mKS+Y2VMxbv3wOQQBb1kufOLXGNfDbQuF hhygmMGmwcXKQ4kjtcXJkWgmH/8GYxI0ODLuIDWQizE6KtrP3NsQ58elOILawGHiiVfFX3Mpn PSlAeJZEwCSN/U4qrH8ApIS5/u5PQw415EcSTy650kKaKMdsEBVnPmU/MEQtKWyUXfieL+Hnz UgtUM7Fm2DWvuDoDtSMOMOLIrznLlD+nS+2MGl7DCBaUuQMqXTfKnyVLBB39txEs8eE8EmrHI zZI+0Dibvr3LOYudQzrTi7gXHAdYtEEJaGov3AcjoaV1UpzQTRIwU+5iUaOwcuJrEoz9b580D TDWezwMDeenMx2Rv6cDTX0noYfT44k3QESSBlugZmgcr+Aey/VAWzkQtjCE8LPD+3zS1GdVm9 2B0udF7noS8yJvTrW7iwFJSJgJHZkoNSt5DeFUpWE3BCCgzyXIsC+EWguXih9sdYVjnW19GbA WJkrqfphwowDa5OejZUClqVtpNrWEBlA3h4VjGTXZlVIVgPw0KXNUQ/GCQ0Hgoz+dN1rBqcFE AnX1EanDL1X/a9mwOdh9PFntJ0jfdSgm2FVdeMUQOZvJ7ghb8zMKKIvyJglZJarx/v441oXlC knPkaes X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jul 2016 03:20:38 -0000 On 2016-07-27 23:15, Dr. Rolf Jansen wrote: >> Am 27.07.2016 um 17:08 schrieb olli hauer : >> On 2016-07-27 15:36, Dr. Rolf Jansen wrote: >>> >>> I finished adding a second usage form for the geoip tool, namely generation of ipfw table construction directives filtered by country codes. >>> >>> ______________ >>> $ geoip -h >>> geoip v1.0.1 (16), Copyright © 2016 Dr. Rolf Jansen >>> >>> Usage: >>> >>> 1) look-up the country code belonging to an IPv4 address given by the last command line argument: >>> >>> geoip [-r bstfile] [-h] >>> a dotted IPv4 address to be looked-up. >>> >>> 2) generate a sorted list of IPv4 address/masklen pairs per country code, formatted as ipfw table construction directives: >>> >>> geoip -t [CC:DD:EE:..] [-n table number] [-v table value] [-r bstfile] [-h] >>> >>> -t [CC:DD:EE:..] output all IPv4 address/masklen pairs belonging to the listed countries, given by 2 letter >>> capital country codes, separated by colon. An empty CC list means any country code. >>> -n table number the ipfw table number between 0 and 65534 [default: 0]. >>> -v table value the 32-bit unsigned value of the ipfw table entry [default: 0]. >>> >>> valid arguments in both usage forms: >>> >>> -r bstfile the path to the binary file with the consolidated IP ranges that has been. >>> generated by the 'ipdb' tool [default: /usr/local/etc/ipdb/IPRanges/ipcc.bst]. >>> -h show these usage instructions. >>> ______________ >>> >>> With that, the ipfw configuration script may contain something alike: >>> >>> … >>> # allow only web access from DE, BR, US: >>> /usr/local/bin/geoip -t DE:BR:US -n 7 | /sbin/ipfw -q /dev/stdin >>> /sbin/ipfw -q add 70 deny tcp from not table\(7\) to any 80,443 in recv WAN_if setup >>> … >>> >>> OR, the other way around: >>> … >>> # deny web access from certain disgraceful regions: >>> /usr/local/bin/geoip -t KO:TR:SA:RU:GB -n 66 | /sbin/ipfw -q /dev/stdin >>> /sbin/ipfw -q add 70 allow tcp from not table\(66\) to any 80,443 in recv WAN_if setup >>> … >>> ____________ >> >> Nice work :) >> >> Now it is also possible to use geoip to create files usable for pf. >> (just pipe the output through sed -e 's/table 0 add //') >> >> Perhaps the following diff for Makefile is useful. >> - use PREFIX instead hard coded path >> - use "install -s" instead "strip -x -o" >> - use "install -m" instead "cp ; chmod" > > I changed the Makefile according to your suggestions, and I added another command line option to the geoip tool: > > … > -p plain IP table generation, i.e. without ipfw construction directives, -n and -v flags are ignored. > … > > The changes are already uploaded to GitHub. Thank you :) -- Regards, olli