Date: Fri, 12 Aug 2016 03:20:39 +1000 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: "Dr. Rolf Jansen" <rj@obsigna.com> Cc: freebsd-ipfw@freebsd.org Subject: Re: your thoughts on a particualar ipfw action. Message-ID: <20160812014005.V79687@sola.nimnet.asn.au> In-Reply-To: <DA5B5C46-9505-4A3E-948A-7392844F21C3@obsigna.com> References: <20160805024301.H56585@sola.nimnet.asn.au> <B26AAEC0-593A-46D9-A22F-F6B4B78E7E8E@obsigna.com> <7486c7ce-49db-b6b9-a6bb-13f04b4ce6d6@freebsd.org> <F3D40C57-831D-4A7C-B84B-8DA34E4DC701@obsigna.com> <242DF6D8-4287-43BF-BE9F-CE1665D31ED2@obsigna.com> <9D024314-57A2-4079-B630-FB0D844DD5B5@obsigna.com> <20160811200425.F79687@sola.nimnet.asn.au> <DA5B5C46-9505-4A3E-948A-7392844F21C3@obsigna.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 11 Aug 2016 10:09:24 -0300, Dr. Rolf Jansen wrote: > > Am 11.08.2016 um 08:06 schrieb Ian Smith <smithi@nimnet.asn.au>: > > On Wed, 10 Aug 2016 -0300, Dr. Rolf Jansen wrote: > > > > (just curious: whereabouts is -0300? Brazil?) > > Yes, I am a German living in Brazil for more than 10 years now. BTW, > your mail provider is blocking my mails, perhaps, because the origin > is Brazil, but I am using a German provider for my mail transport. Oops. You should have mail from smithi@someisp about sorting that out? Cutting to recent: > > Terrific work, Rolf! Something for everyone, although I'm guessing the > > pf people are going to want a piece of the action, if they need any more > > than the -p option and a bit of scripting. > > It is not that much work, to add other output options. The main > obstacle for me is, that I won't be able to test it carefully > together with pf. So, it would be good to do this in cooperation with > someone who got a well running pf firewall -- the same holds for > other possible applications as well. Indeed. Once again I've suggested something I can't help with and know next to nothing about :) > >> I just submitted a PR asking to add the new port 'sysutils/ipdbtools'. > >> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211744 > > > > Wonderful. > > The port maintainers were really quick. The port has been accepted > and has been already committed. So it has, on refreshing the page. Smooth and fast. Re __uint128_t I _guess_ there may be macro/s to do that maths for i386? > >> With the great help of Julian, I was able to improve the man file and > >> the latest version can be read online: > >> > >> https://cyclaero.github.io/ipdb/ > > > > Nice manual and all. A few typos noted below (niggly Virgo proofreader) > > I was tempted to get these last changes into my PR, but I am sorry, Not at all; nothing that might confuse or deter anybody .. niggles. > it was too late for the initial release. I committed the corrected > man file to the GitHub repository, though, it will automatically go > into the next release of the ipdbtools, perhaps together with some > additions for using it together with pf(8) and route(8). Great. Looking forward to having a play, albeit on a box not running any external services currently, to scope it out. > Nothing, to be sorry about. I like discussions. Ok, no sorrow either way .. > > As a hopefully not unwelcome aside, it's a pity that IBM, of all people, > > couldn't manage geo-blocking successfully for the Australian Census the > > other night. Next time around we can offer them a working geo-blocking > > firewall/router for a good deal less than the AU$9.6M we've paid IBM :) > > > > Census: How the Government says the website meltdown unfolded: > > http://www.abc.net.au/news/2016-08-10/census-night-how-the-shambles-unfolded/7712964 > > > > A more tech-savvy article than ABC or other news media managed so far: > > https://www.theguardian.com/australia-news/2016/aug/10/computer-says-no-australian-census-shambles-explanation-depends-on-who-you-ask > > Well, I tend to believe that this has nothing to do with DoS attacks, Some should have been expected, planned for, mitigation anticipated, as well as expecting at least 5 times the legit connections/hr they tested for, and as the guardian article pointed to, their DNS was screwed in several ways: way too long TTL (can't move fast), hard-coded subdomain in SSL cert (couldn't readily add load-sharing capacity?) and such. But they admit the geo-blocking fell over - whether inline as firewall or on another server fielding lookup requests not disclosed - but they say that failure caused a/the/some router to fail (crash? explode? :) IBM, FFS! but they'll point to govt specs and disclaim hardware failure but still it's not great product endorsement for their SoftLayer Cloud. > I mean, of course it is DoS, but not caused by an attack. Exactly the > same happens every year on 30th of April between 17:00 and 24:00 on > the servers of the Federal Bureau of Finance here in Brazil. That is > the deadline for the online-submission of the annual tax declaration > of the Brazilian citizens. Seems that the bureaucrats all over the > world share the same deficiency of creative problem solving. Seems it's a requirement for the job, world wide. Creativity is scary, but you think they could guess that ~8 million households in the eastern timezone were going to have dinner then do their census within ~2 hours. > Who in the bureaucrats hell told them to go with one deadline for > everybody? For the census in Australia, I would have told the > citizens that everybody got an individual deadline which is his or > her birthday in 2016 -- problem solved. That'd be great load-balancing .. shall I let them know? :) > > It's not quite clear how to specify an 'empty CC list'? ''? ""? either? > > Well, in the Synopsis and in the description of the second usage form > there was already ... | "". Now, I clarified this in the description > as well as follows: > > "An empty CC list (denoted by "") means any country code." Clearer; my old browser was rendering "" to look like '"' ie misspaced. > As already said, the corrections are not part of the initial release > into the FreeBSD ports, for this one it was too late. The man file on > GitHub is corrected already. > > Best regards > > Rolf All good. Even better when I find what's blocking your host|IP. cheers, Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20160812014005.V79687>