From owner-freebsd-ipfw@freebsd.org Fri Jul 29 02:48:30 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B72DABA756B for ; Fri, 29 Jul 2016 02:48:30 +0000 (UTC) (envelope-from leeb@ratnaling.org) Received: from mail-ua0-x22b.google.com (mail-ua0-x22b.google.com [IPv6:2607:f8b0:400c:c08::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 72F6815F6 for ; Fri, 29 Jul 2016 02:48:30 +0000 (UTC) (envelope-from leeb@ratnaling.org) Received: by mail-ua0-x22b.google.com with SMTP id j59so53011455uaj.3 for ; Thu, 28 Jul 2016 19:48:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ratnaling-org.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=fCLwJaz3xg6NsBmHJhhHEzZ0jMv2hmHD669ZrqAod6c=; b=OiOaiwCtazA9frJVptuntOQ6zSHDhBCo4d7/1v+T72Ml6sEp+htkoQYhXY8d4i24sa mnxD6I6cs04EAyTsaqpdZuhN8KASSrmqb/Ap0mE/chBYQzYpFp+uXXrIRtxN0zHVtQmV 28w6wIJrt5e8oOGnvDSkoEz1eEp+ifVDDkXQVnfHbTdBfDoNEXliy/Gsscq16KxS8k3m xVGdR2tx6zrFr+BOjVF4TLhEOwgIldHEirIxFlDDLtYo0aSwupN0gtO16VnV98y+ZO68 U6FlwYrQpnBbCbLncrEm/KjMFyxRpTqeNUmAiZ9ICg8pTJxJh1YLoFArXyMXMs0B3D67 BsaQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=fCLwJaz3xg6NsBmHJhhHEzZ0jMv2hmHD669ZrqAod6c=; b=k1aEMwdEQuLZElzUL7ai+Vlp6/lw77tIUcBks9VGHMLtoBkcllnCSzMnz3GKWWQIuL Y8LyN9+YX+K3C5RSVKmUkVisiFP6VTDfzQfEMK6eOImfNV9vQbiqR81WuSDwpYN3njwd 9XikHz6aFw5dvqkcWRvlOuRqL3ayNUF3e6qcTok5ONZjN0oM8Fqtfc/eqzPsxmETJdOQ dyFL56Ndkqv4CRqXp//jjr3kQZwUtYXqWbD2DGiBnSbqIopvBtj6aUU3yYjDhfTUTZWT YO4TpMLbrD36yEc8tJCfhG3qudQyWyPPM03Up7rAMS0xMsdKatqx1hIXidyE1AEaM6mF 0zKA== X-Gm-Message-State: AEkoouvGGc3kdkRYlspJ2qgLlISEZYBak3HIZ4ZvhVr3PMVOGnPexvcdZi0yyAfN/5Obo3i99w7q7NpKARUCyQ== X-Received: by 10.159.41.69 with SMTP id t63mr17883893uat.66.1469760509169; Thu, 28 Jul 2016 19:48:29 -0700 (PDT) MIME-Version: 1.0 Received: by 10.176.4.72 with HTTP; Thu, 28 Jul 2016 19:48:28 -0700 (PDT) In-Reply-To: <0D3C9016-7A4A-46BA-B35F-3844D07562A8@obsigna.com> References: <61DFB3E2-6E34-4EEA-8AC6-70094CEACA72@cyclaero.com> <4D047727-F7D0-4BEE-BD42-2501F44C9550@obsigna.com> <9641D08A-0501-4AA2-9DF6-D5AFE6CB2975@obsigna.com> <4d76a492-17ae-cbff-f92f-5bbbb1339aad@freebsd.org> <677900fb-c717-743f-fcfe-86b603466e33@freebsd.org> <0D3C9016-7A4A-46BA-B35F-3844D07562A8@obsigna.com> From: Lee Brown Date: Thu, 28 Jul 2016 19:48:28 -0700 Message-ID: Subject: Re: ipfw divert filter for IPv4 geo-blocking To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.22 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Jul 2016 02:48:30 -0000 That makes sense to me. Your /20 range encompasses 201.222.16.0 - 201.222.31.255. If you want 201.222.20.0-201.222.31.255, you'll need 3 ranges: 201.222.20.0/22 (201.222.20.0-201.222.23.255) 201.222.24.0/22 (201.222.24.0-201.222.27.255) 201.222.28.0/22 (201.222.28.0-201.222.31.255) this helps :) On Thu, Jul 28, 2016 at 7:21 PM, Dr. Rolf Jansen wrote: > > > Am 27.07.2016 um 12:31 schrieb Julian Elischer : > > On 27/07/2016 9:36 PM, Dr. Rolf Jansen wrote: > >>> Am 26.07.2016 um 23:03 schrieb Julian Elischer : > >>> On 27/07/2016 3:06 AM, Dr. Rolf Jansen wrote: > >>>> There is another tool called geoip , that I uploaded to GitHub, and > that I use for looking up country codes by IP addresses on the command li= ne. > >>>> > >>>> https://github.com/cyclaero/ipdb/blob/master/geoip.c > >>>> > >>>> This one could easily be extended to produce sorted IP ranges per CC > that could be fed into tables of ipfw. I am thinking of adding a command > line option for specifying CC's for which the IP ranges should be exporte= d, > something like: > >>>> > >>>> geoip -e DE:BR:US:IT:FR:ES > >>>> > >>>> And this could print sorted IP-Ranges belonging to the listed > countries. For this purpose, what would be the ideal format for directly > feeding the produced output into ipfw tables? > >>> The format for using tables directly is the same as that used for > routing tables. > >>> =E2=80=A6 > >>> table 5 add 1.1.1.0/32 1000 > >>> =E2=80=A6 > >>> your application becomes an application for configuring the firewall. > >>> (which you do by feeding commands down a pipe to ipfw, which is > started as 'ipfw -q /dev/stdin') > >> I finished adding a second usage form for the geoip tool, namely > generation of ipfw table construction directives filtered by country code= s. > > wow, wonderful! > > > > with that tool, and ipfw tables we have a fully functional geo > blocking/munging solution in about 4 lines of shell script. > > Unfortunately, I finally discovered that ipfw tables as they are, are > unsuitable for the given purpose, because for some reason ipfw mangles > about 20 % of the passed IP address/masklen pairs. > > For example: > > # ipfw table 1 add 201.222.20.0/20 > # ipfw table 1 list > --> 201.222.16.0/20 0 > > $ geoip 201.222.20.1 > --> 201.222.20.1 in 201.222.20.0-201.222.31.255 in BR > > $ geoip 201.222.16.1 > --> 201.222.16.1 in 201.222.16.0-201.222.19.255 in AR > > Effectively, I asked ipfw to add an IP-range of Brazil to table 1, but it > actually added another one which belongs to Argentina. This doesn't make > too much sense, does it? > > For the time being I switched my servers back to geo-blocking with the > divert filter daemon. > > Best regards > > Rolf > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"