Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 11 Aug 2016 21:06:03 +1000 (EST)
From:      Ian Smith <smithi@nimnet.asn.au>
To:        "Dr. Rolf Jansen" <rj@obsigna.com>
Cc:        freebsd-ipfw@freebsd.org
Subject:   Re: your thoughts on a particualar ipfw action.
Message-ID:  <20160811200425.F79687@sola.nimnet.asn.au>
In-Reply-To: <9D024314-57A2-4079-B630-FB0D844DD5B5@obsigna.com>
References:  <20160805024301.H56585@sola.nimnet.asn.au> <B26AAEC0-593A-46D9-A22F-F6B4B78E7E8E@obsigna.com> <7486c7ce-49db-b6b9-a6bb-13f04b4ce6d6@freebsd.org> <F3D40C57-831D-4A7C-B84B-8DA34E4DC701@obsigna.com> <242DF6D8-4287-43BF-BE9F-CE1665D31ED2@obsigna.com> <9D024314-57A2-4079-B630-FB0D844DD5B5@obsigna.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Wed, 10 Aug 2016 -0300, Dr. Rolf Jansen wrote:

(just curious: whereabouts is -0300?  Brazil?)

 > > Am 08.08.2016 um 18:46 schrieb Dr. Rolf Jansen <rj@obsigna.com>:
>> I am almost finished with preparing the tools for geo-blocking and 
>> geo-routing at the firewall for submission to the FreeBSD ports.

>> I created a man file for the tools, see: 
>> https://cyclaero.github.io/ipdb/, and I added the recent suggestions 
>> on rule number/action code per country code, namely, I changed the 
>> formula for the x-flag to the suggestion of Ian (value = offset + 
>> ((C1 - 'A')*26 + (C2 - 'A'))*10), and I added the idea of directly 
>> assigning a number to a country code in the argument for the t-flag 
>> ("CC=nnnnn:...").  Furthermore, I removed the divert filter daemon 
>> from the Makefile. The source is still on GitHub, though, and can be 
>> re-vamped if necessary. Now I am going to prepare the Makefile for
>> the port.

Terrific work, Rolf!  Something for everyone, although I'm guessing the 
pf people are going to want a piece of the action, if they need any more 
than the -p option and a bit of scripting.

 > I just submitted a PR asking to add the new port 'sysutils/ipdbtools'.
 > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211744

Wonderful.

 > I needed to change the name of the geoip tool, because GeoIP® is a
 > registered trademark of MaxMind, Inc., see www.maxmind.com. The name 

I did wonder about that ..

 > of the tool is now 'ipup' = abbreviated form of IP geo location table 
 > generation and look- UP , that is without the boring middle part :-D
 >
 > Those, who used geoip already in some scripts, please excuse the
 > inconvenience of needing to change the name.

 > With the great help of Julian, I was able to improve the man file and
 > the latest version can be read online:
 >
 >   https://cyclaero.github.io/ipdb/

Nice manual and all.  A few typos noted below (niggly Virgo proofreader)

I must apologise for added exasperation earlier.  I was tending towards 
conflating several other ipfw issues under discussion (named states, new 
state actions, and this).  Sorry if I bumped you off course momentarily, 
though I don't seem to have slowed you down too much ..

As a hopefully not unwelcome aside, it's a pity that IBM, of all people, 
couldn't manage geo-blocking successfully for the Australian Census the 
other night.  Next time around we can offer them a working geo-blocking 
firewall/router for a good deal less than the AU$9.6M we've paid IBM :)

Census: How the Government says the website meltdown unfolded:
http://www.abc.net.au/news/2016-08-10/census-night-how-the-shambles-unfolded/7712964

A more tech-savvy article than ABC or other news media managed so far:
https://www.theguardian.com/australia-news/2016/aug/10/computer-says-no-australian-census-shambles-explanation-depends-on-who-you-ask

cheers, Ian

=======

It is suitable for inclusion into cron.  "for invocation by cron" maybe?

ipdb_update.sh has IPRanges="/usr/local/etc/ipdb/IPRanges" but some (not 
all) mentions in the manpage use "IP-Ranges" with a hyphen, including 
the FILES section.  Also the last one there repeats "*bst.v4" for IPv6.

It's not quite clear how to specify an 'empty CC list'? ''? ""? either?

"from certain [countries?] we don't like .."

"piped into sort of [or?] a pre-processing command .."

=======



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20160811200425.F79687>