Date: Thu, 11 Aug 2016 10:09:24 -0300 From: "Dr. Rolf Jansen" <rj@obsigna.com> To: freebsd-ipfw@freebsd.org Subject: Re: your thoughts on a particualar ipfw action. Message-ID: <DA5B5C46-9505-4A3E-948A-7392844F21C3@obsigna.com> In-Reply-To: <20160811200425.F79687@sola.nimnet.asn.au> References: <20160805024301.H56585@sola.nimnet.asn.au> <B26AAEC0-593A-46D9-A22F-F6B4B78E7E8E@obsigna.com> <7486c7ce-49db-b6b9-a6bb-13f04b4ce6d6@freebsd.org> <F3D40C57-831D-4A7C-B84B-8DA34E4DC701@obsigna.com> <242DF6D8-4287-43BF-BE9F-CE1665D31ED2@obsigna.com> <9D024314-57A2-4079-B630-FB0D844DD5B5@obsigna.com> <20160811200425.F79687@sola.nimnet.asn.au>
next in thread | previous in thread | raw e-mail | index | archive | help
> Am 11.08.2016 um 08:06 schrieb Ian Smith <smithi@nimnet.asn.au>: > On Wed, 10 Aug 2016 -0300, Dr. Rolf Jansen wrote: >=20 > (just curious: whereabouts is -0300? Brazil?) Yes, I am a German living in Brazil for more than 10 years now. BTW, = your mail provider is blocking my mails, perhaps, because the origin is = Brazil, but I am using a German provider for my mail transport. >>> Am 08.08.2016 um 18:46 schrieb Dr. Rolf Jansen <rj@obsigna.com>: >>> I am almost finished with preparing the tools for geo-blocking and=20= >>> geo-routing at the firewall for submission to the FreeBSD ports. >=20 >>> I created a man file for the tools, see:=20 >>> https://cyclaero.github.io/ipdb/, and I added the recent suggestions=20= >>> on rule number/action code per country code, namely, I changed the=20= >>> formula for the x-flag to the suggestion of Ian (value =3D offset +=20= >>> ((C1 - 'A')*26 + (C2 - 'A'))*10), and I added the idea of directly=20= >>> assigning a number to a country code in the argument for the t-flag=20= >>> ("CC=3Dnnnnn:..."). Furthermore, I removed the divert filter daemon=20= >>> from the Makefile. The source is still on GitHub, though, and can be=20= >>> re-vamped if necessary. Now I am going to prepare the Makefile for >>> the port. >=20 > Terrific work, Rolf! Something for everyone, although I'm guessing = the=20 > pf people are going to want a piece of the action, if they need any = more=20 > than the -p option and a bit of scripting. It is not that much work, to add other output options. The main obstacle = for me is, that I won't be able to test it carefully together with pf. = So, it would be good to do this in cooperation with someone who got a = well running pf firewall -- the same holds for other possible = applications as well. >> I just submitted a PR asking to add the new port = 'sysutils/ipdbtools'. >> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D211744 >=20 > Wonderful. The port maintainers were really quick. The port has been accepted and = has been already committed. >> I needed to change the name of the geoip tool, because GeoIP=AE is a >> registered trademark of MaxMind, Inc., see www.maxmind.com. The name=20= >=20 > I did wonder about that .. >=20 >> of the tool is now 'ipup' =3D abbreviated form of IP geo location = table=20 >> generation and look- UP , that is without the boring middle part :-D >>=20 >> Those, who used geoip already in some scripts, please excuse the >> inconvenience of needing to change the name. >=20 >> With the great help of Julian, I was able to improve the man file and >> the latest version can be read online: >>=20 >> https://cyclaero.github.io/ipdb/ >=20 > Nice manual and all. A few typos noted below (niggly Virgo = proofreader) I was tempted to get these last changes into my PR, but I am sorry, it = was too late for the initial release. I committed the corrected man file = to the GitHub repository, though, it will automatically go into the next = release of the ipdbtools, perhaps together with some additions for using = it together with pf(8) and route(8). > I must apologise for added exasperation earlier. I was tending = towards=20 > conflating several other ipfw issues under discussion (named states, = new=20 > state actions, and this). Sorry if I bumped you off course = momentarily,=20 > though I don't seem to have slowed you down too much .. Nothing, to be sorry about. I like discussions. > As a hopefully not unwelcome aside, it's a pity that IBM, of all = people,=20 > couldn't manage geo-blocking successfully for the Australian Census = the=20 > other night. Next time around we can offer them a working = geo-blocking=20 > firewall/router for a good deal less than the AU$9.6M we've paid IBM = :) >=20 > Census: How the Government says the website meltdown unfolded: > = http://www.abc.net.au/news/2016-08-10/census-night-how-the-shambles-unfold= ed/7712964 >=20 > A more tech-savvy article than ABC or other news media managed so far: > = https://www.theguardian.com/australia-news/2016/aug/10/computer-says-no-au= stralian-census-shambles-explanation-depends-on-who-you-ask Well, I tend to believe that this has nothing to do with DoS attacks, I = mean, of course it is DoS, but not caused by an attack. Exactly the same = happens every year on 30th of April between 17:00 and 24:00 on the = servers of the Federal Bureau of Finance here in Brazil. That is the = deadline for the online-submission of the annual tax declaration of the = Brazilian citizens. Seems that the bureaucrats all over the world share = the same deficiency of creative problem solving. Who in the bureaucrats hell told them to go with one deadline for = everybody? For the census in Australia, I would have told the citizens = that everybody got an individual deadline which is his or her birthday = in 2016 -- problem solved. > =3D=3D=3D=3D=3D=3D=3D >=20 > It is suitable for inclusion into cron. "for invocation by cron" = maybe? OK, "invocation by" sounds better (for me) > ipdb_update.sh has IPRanges=3D"/usr/local/etc/ipdb/IPRanges" but some = (not=20 > all) mentions in the manpage use "IP-Ranges" with a hyphen, including=20= > the FILES section. Also the last one there repeats "*bst.v4" for = IPv6. OK, corrected > It's not quite clear how to specify an 'empty CC list'? ''? ""? = either? Well, in the Synopsis and in the description of the second usage form = there was already ... | "". Now, I clarified this in the description as = well as follows: "An empty CC list (denoted by "") means any country code." > "from certain [countries?] we don't like .." OK > "piped into sort of [or?] a pre-processing command .." OK, I removed "sort of", leaving "... piped into a pre-processing = command ..." >=20 > =3D=3D=3D=3D=3D=3D=3D As already said, the corrections are not part of the initial release = into the FreeBSD ports, for this one it was too late. The man file on = GitHub is corrected already. Best regards Rolf
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?DA5B5C46-9505-4A3E-948A-7392844F21C3>