Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 25 Jul 2016 08:47:28 -0700
From:      Michael Sierchio <kudzu@tenebras.com>
To:        "Dr. Rolf Jansen" <rj@cyclaero.com>
Cc:        freebsd-ipfw@freebsd.org
Subject:   Re: ipfw divert filter for IPv4 geo-blocking
Message-ID:  <CAHu1Y739PvFqqEKE74BjzgLa7NNG6Kh55NPnU5MaA-8HsrjkFw@mail.gmail.com>
In-Reply-To: <61DFB3E2-6E34-4EEA-8AC6-70094CEACA72@cyclaero.com>
References:  <61DFB3E2-6E34-4EEA-8AC6-70094CEACA72@cyclaero.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
Writing a divert daemon is a praiseworthy project, but I think you could do
this without sending packets to user land.

You could use tables - in fact, a single table of consolidated nets by
country, in which the table entry is a CIDR block and the table arg is a
country code - and you match on table arg. You could simply put nets you
want to block in a table, and dispense with table args. That is how I do
it.

In order to do changes atomically, you need a pair of tables and a pair of
rulesets, and you can swap rulesets when you have built the new table.

On Jul 25, 2016 07:29, "Dr. Rolf Jansen" <rj@cyclaero.com> wrote:

> I have written a ipfw divert filter daemon for IPv4 geo-blocking. It is
> working flawlessly on two server installations since a week.
>
> Anyway, I am still in doubt whether I do the blocking in the correct way.
> Once the filter receives a packet from the respective divert socket it
> looks up the country code of the source IP in the IP-Ranges database, and
> if the country code shall be allowed then it returns the unaltered packet
> via said socket, otherwise, the filter does no further processing, so the
> packet is effectively gone, lost, dropped, discarded, or whatever would be
> the correct terminology. Is this the really the correct way of denying a
> packet, or is it necessary to inform ipfw somehow about the circumstances,
> so it can run a proper dropping procedure?
>
> I uploaded the filter + accompanying tools to GitHub
>
>    https://github.com/cyclaero/ipdb
>
> Many thnaks for any advices in advance.
>
> Best regards
>
> Rolf
>
>
> _______________________________________________
> freebsd-ipfw@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"
>

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAHu1Y739PvFqqEKE74BjzgLa7NNG6Kh55NPnU5MaA-8HsrjkFw>