Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 11 Aug 2016 21:06:03 +1000 (EST)
From:      Ian Smith <>
To:        "Dr. Rolf Jansen" <>
Subject:   Re: your thoughts on a particualar ipfw action.
Message-ID:  <>
In-Reply-To: <>
References:  <> <> <> <> <> <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Wed, 10 Aug 2016 -0300, Dr. Rolf Jansen wrote:

(just curious: whereabouts is -0300?  Brazil?)

 > > Am 08.08.2016 um 18:46 schrieb Dr. Rolf Jansen <>:
>> I am almost finished with preparing the tools for geo-blocking and 
>> geo-routing at the firewall for submission to the FreeBSD ports.

>> I created a man file for the tools, see: 
>>, and I added the recent suggestions 
>> on rule number/action code per country code, namely, I changed the 
>> formula for the x-flag to the suggestion of Ian (value = offset + 
>> ((C1 - 'A')*26 + (C2 - 'A'))*10), and I added the idea of directly 
>> assigning a number to a country code in the argument for the t-flag 
>> ("CC=nnnnn:...").  Furthermore, I removed the divert filter daemon 
>> from the Makefile. The source is still on GitHub, though, and can be 
>> re-vamped if necessary. Now I am going to prepare the Makefile for
>> the port.

Terrific work, Rolf!  Something for everyone, although I'm guessing the 
pf people are going to want a piece of the action, if they need any more 
than the -p option and a bit of scripting.

 > I just submitted a PR asking to add the new port 'sysutils/ipdbtools'.


 > I needed to change the name of the geoip tool, because GeoIP® is a
 > registered trademark of MaxMind, Inc., see The name 

I did wonder about that ..

 > of the tool is now 'ipup' = abbreviated form of IP geo location table 
 > generation and look- UP , that is without the boring middle part :-D
 > Those, who used geoip already in some scripts, please excuse the
 > inconvenience of needing to change the name.

 > With the great help of Julian, I was able to improve the man file and
 > the latest version can be read online:

Nice manual and all.  A few typos noted below (niggly Virgo proofreader)

I must apologise for added exasperation earlier.  I was tending towards 
conflating several other ipfw issues under discussion (named states, new 
state actions, and this).  Sorry if I bumped you off course momentarily, 
though I don't seem to have slowed you down too much ..

As a hopefully not unwelcome aside, it's a pity that IBM, of all people, 
couldn't manage geo-blocking successfully for the Australian Census the 
other night.  Next time around we can offer them a working geo-blocking 
firewall/router for a good deal less than the AU$9.6M we've paid IBM :)

Census: How the Government says the website meltdown unfolded:

A more tech-savvy article than ABC or other news media managed so far:

cheers, Ian


It is suitable for inclusion into cron.  "for invocation by cron" maybe? has IPRanges="/usr/local/etc/ipdb/IPRanges" but some (not 
all) mentions in the manpage use "IP-Ranges" with a hyphen, including 
the FILES section.  Also the last one there repeats "*bst.v4" for IPv6.

It's not quite clear how to specify an 'empty CC list'? ''? ""? either?

"from certain [countries?] we don't like .."

"piped into sort of [or?] a pre-processing command .."


Want to link to this message? Use this URL: <>