Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 11 Aug 2016 10:09:24 -0300
From:      "Dr. Rolf Jansen" <>
Subject:   Re: your thoughts on a particualar ipfw action.
Message-ID:  <>
In-Reply-To: <>
References:  <> <> <> <> <> <> <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
> Am 11.08.2016 um 08:06 schrieb Ian Smith <>:
> On Wed, 10 Aug 2016 -0300, Dr. Rolf Jansen wrote:
> (just curious: whereabouts is -0300?  Brazil?)

Yes, I am a German living in Brazil for more than 10 years now. BTW, =
your mail provider is blocking my mails, perhaps, because the origin is =
Brazil, but I am using a German provider for my mail transport.

>>> Am 08.08.2016 um 18:46 schrieb Dr. Rolf Jansen <>:
>>> I am almost finished with preparing the tools for geo-blocking and=20=

>>> geo-routing at the firewall for submission to the FreeBSD ports.
>>> I created a man file for the tools, see:=20
>>>, and I added the recent suggestions=20=

>>> on rule number/action code per country code, namely, I changed the=20=

>>> formula for the x-flag to the suggestion of Ian (value =3D offset +=20=

>>> ((C1 - 'A')*26 + (C2 - 'A'))*10), and I added the idea of directly=20=

>>> assigning a number to a country code in the argument for the t-flag=20=

>>> ("CC=3Dnnnnn:...").  Furthermore, I removed the divert filter daemon=20=

>>> from the Makefile. The source is still on GitHub, though, and can be=20=

>>> re-vamped if necessary. Now I am going to prepare the Makefile for
>>> the port.
> Terrific work, Rolf!  Something for everyone, although I'm guessing =
> pf people are going to want a piece of the action, if they need any =
> than the -p option and a bit of scripting.

It is not that much work, to add other output options. The main obstacle =
for me is, that I won't be able to test it carefully together with pf. =
So, it would be good to do this in cooperation with someone who got a =
well running pf firewall -- the same holds for other possible =
applications as well.

>> I just submitted a PR asking to add the new port =
> Wonderful.

The port maintainers were really quick. The port has been accepted and =
has been already committed.

>> I needed to change the name of the geoip tool, because GeoIP=AE is a
>> registered trademark of MaxMind, Inc., see The name=20=

> I did wonder about that ..
>> of the tool is now 'ipup' =3D abbreviated form of IP geo location =
>> generation and look- UP , that is without the boring middle part :-D
>> Those, who used geoip already in some scripts, please excuse the
>> inconvenience of needing to change the name.
>> With the great help of Julian, I was able to improve the man file and
>> the latest version can be read online:
> Nice manual and all.  A few typos noted below (niggly Virgo =

I was tempted to get these last changes into my PR, but I am sorry, it =
was too late for the initial release. I committed the corrected man file =
to the GitHub repository, though, it will automatically go into the next =
release of the ipdbtools, perhaps together with some additions for using =
it together with pf(8) and route(8).

> I must apologise for added exasperation earlier.  I was tending =
> conflating several other ipfw issues under discussion (named states, =
> state actions, and this).  Sorry if I bumped you off course =
> though I don't seem to have slowed you down too much ..

Nothing, to be sorry about. I like discussions.

> As a hopefully not unwelcome aside, it's a pity that IBM, of all =
> couldn't manage geo-blocking successfully for the Australian Census =
> other night.  Next time around we can offer them a working =
> firewall/router for a good deal less than the AU$9.6M we've paid IBM =
> Census: How the Government says the website meltdown unfolded:
> =
> A more tech-savvy article than ABC or other news media managed so far:
> =

Well, I tend to believe that this has nothing to do with DoS attacks, I =
mean, of course it is DoS, but not caused by an attack. Exactly the same =
happens every year on 30th of April between 17:00 and 24:00 on the =
servers of the Federal Bureau of Finance here in Brazil. That is the =
deadline for the online-submission of the annual tax declaration of the =
Brazilian citizens. Seems that the bureaucrats all over the world share =
the same deficiency of creative problem solving.

Who in the bureaucrats hell told them to go with one deadline for =
everybody? For the census in Australia, I would have told the citizens =
that everybody got an individual deadline which is his or her birthday =
in 2016 -- problem solved.

> =3D=3D=3D=3D=3D=3D=3D
> It is suitable for inclusion into cron.  "for invocation by cron" =

OK, "invocation by" sounds better (for me)

> has IPRanges=3D"/usr/local/etc/ipdb/IPRanges" but some =
> all) mentions in the manpage use "IP-Ranges" with a hyphen, including=20=

> the FILES section.  Also the last one there repeats "*bst.v4" for =

OK, corrected

> It's not quite clear how to specify an 'empty CC list'? ''? ""? =

Well, in the Synopsis and in the description of the second usage form =
there was already ... | "". Now, I clarified this in the description as =
well as follows:

"An empty CC list (denoted by "") means any country code."

> "from certain [countries?] we don't like .."


> "piped into sort of [or?] a pre-processing command .."

OK, I removed "sort of", leaving "... piped into a pre-processing =
command ..."

> =3D=3D=3D=3D=3D=3D=3D

As already said, the corrections are not part of the initial release =
into the FreeBSD ports, for this one it was too late. The man file on =
GitHub is corrected already.

Best regards


Want to link to this message? Use this URL: <>