Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 11 Aug 2016 10:09:24 -0300
From:      "Dr. Rolf Jansen" <rj@obsigna.com>
To:        freebsd-ipfw@freebsd.org
Subject:   Re: your thoughts on a particualar ipfw action.
Message-ID:  <DA5B5C46-9505-4A3E-948A-7392844F21C3@obsigna.com>
In-Reply-To: <20160811200425.F79687@sola.nimnet.asn.au>
References:  <20160805024301.H56585@sola.nimnet.asn.au> <B26AAEC0-593A-46D9-A22F-F6B4B78E7E8E@obsigna.com> <7486c7ce-49db-b6b9-a6bb-13f04b4ce6d6@freebsd.org> <F3D40C57-831D-4A7C-B84B-8DA34E4DC701@obsigna.com> <242DF6D8-4287-43BF-BE9F-CE1665D31ED2@obsigna.com> <9D024314-57A2-4079-B630-FB0D844DD5B5@obsigna.com> <20160811200425.F79687@sola.nimnet.asn.au>

next in thread | previous in thread | raw e-mail | index | archive | help
> Am 11.08.2016 um 08:06 schrieb Ian Smith <smithi@nimnet.asn.au>:
> On Wed, 10 Aug 2016 -0300, Dr. Rolf Jansen wrote:
>=20
> (just curious: whereabouts is -0300?  Brazil?)

Yes, I am a German living in Brazil for more than 10 years now. BTW, =
your mail provider is blocking my mails, perhaps, because the origin is =
Brazil, but I am using a German provider for my mail transport.

>>> Am 08.08.2016 um 18:46 schrieb Dr. Rolf Jansen <rj@obsigna.com>:
>>> I am almost finished with preparing the tools for geo-blocking and=20=

>>> geo-routing at the firewall for submission to the FreeBSD ports.
>=20
>>> I created a man file for the tools, see:=20
>>> https://cyclaero.github.io/ipdb/, and I added the recent suggestions=20=

>>> on rule number/action code per country code, namely, I changed the=20=

>>> formula for the x-flag to the suggestion of Ian (value =3D offset +=20=

>>> ((C1 - 'A')*26 + (C2 - 'A'))*10), and I added the idea of directly=20=

>>> assigning a number to a country code in the argument for the t-flag=20=

>>> ("CC=3Dnnnnn:...").  Furthermore, I removed the divert filter daemon=20=

>>> from the Makefile. The source is still on GitHub, though, and can be=20=

>>> re-vamped if necessary. Now I am going to prepare the Makefile for
>>> the port.
>=20
> Terrific work, Rolf!  Something for everyone, although I'm guessing =
the=20
> pf people are going to want a piece of the action, if they need any =
more=20
> than the -p option and a bit of scripting.

It is not that much work, to add other output options. The main obstacle =
for me is, that I won't be able to test it carefully together with pf. =
So, it would be good to do this in cooperation with someone who got a =
well running pf firewall -- the same holds for other possible =
applications as well.

>> I just submitted a PR asking to add the new port =
'sysutils/ipdbtools'.
>> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D211744
>=20
> Wonderful.

The port maintainers were really quick. The port has been accepted and =
has been already committed.

>> I needed to change the name of the geoip tool, because GeoIP=AE is a
>> registered trademark of MaxMind, Inc., see www.maxmind.com. The name=20=

>=20
> I did wonder about that ..
>=20
>> of the tool is now 'ipup' =3D abbreviated form of IP geo location =
table=20
>> generation and look- UP , that is without the boring middle part :-D
>>=20
>> Those, who used geoip already in some scripts, please excuse the
>> inconvenience of needing to change the name.
>=20
>> With the great help of Julian, I was able to improve the man file and
>> the latest version can be read online:
>>=20
>>  https://cyclaero.github.io/ipdb/
>=20
> Nice manual and all.  A few typos noted below (niggly Virgo =
proofreader)

I was tempted to get these last changes into my PR, but I am sorry, it =
was too late for the initial release. I committed the corrected man file =
to the GitHub repository, though, it will automatically go into the next =
release of the ipdbtools, perhaps together with some additions for using =
it together with pf(8) and route(8).

> I must apologise for added exasperation earlier.  I was tending =
towards=20
> conflating several other ipfw issues under discussion (named states, =
new=20
> state actions, and this).  Sorry if I bumped you off course =
momentarily,=20
> though I don't seem to have slowed you down too much ..

Nothing, to be sorry about. I like discussions.

> As a hopefully not unwelcome aside, it's a pity that IBM, of all =
people,=20
> couldn't manage geo-blocking successfully for the Australian Census =
the=20
> other night.  Next time around we can offer them a working =
geo-blocking=20
> firewall/router for a good deal less than the AU$9.6M we've paid IBM =
:)
>=20
> Census: How the Government says the website meltdown unfolded:
> =
http://www.abc.net.au/news/2016-08-10/census-night-how-the-shambles-unfold=
ed/7712964
>=20
> A more tech-savvy article than ABC or other news media managed so far:
> =
https://www.theguardian.com/australia-news/2016/aug/10/computer-says-no-au=
stralian-census-shambles-explanation-depends-on-who-you-ask

Well, I tend to believe that this has nothing to do with DoS attacks, I =
mean, of course it is DoS, but not caused by an attack. Exactly the same =
happens every year on 30th of April between 17:00 and 24:00 on the =
servers of the Federal Bureau of Finance here in Brazil. That is the =
deadline for the online-submission of the annual tax declaration of the =
Brazilian citizens. Seems that the bureaucrats all over the world share =
the same deficiency of creative problem solving.

Who in the bureaucrats hell told them to go with one deadline for =
everybody? For the census in Australia, I would have told the citizens =
that everybody got an individual deadline which is his or her birthday =
in 2016 -- problem solved.

> =3D=3D=3D=3D=3D=3D=3D
>=20
> It is suitable for inclusion into cron.  "for invocation by cron" =
maybe?

OK, "invocation by" sounds better (for me)

> ipdb_update.sh has IPRanges=3D"/usr/local/etc/ipdb/IPRanges" but some =
(not=20
> all) mentions in the manpage use "IP-Ranges" with a hyphen, including=20=

> the FILES section.  Also the last one there repeats "*bst.v4" for =
IPv6.

OK, corrected

> It's not quite clear how to specify an 'empty CC list'? ''? ""? =
either?

Well, in the Synopsis and in the description of the second usage form =
there was already ... | "". Now, I clarified this in the description as =
well as follows:

"An empty CC list (denoted by "") means any country code."


> "from certain [countries?] we don't like .."

OK

> "piped into sort of [or?] a pre-processing command .."

OK, I removed "sort of", leaving "... piped into a pre-processing =
command ..."

>=20
> =3D=3D=3D=3D=3D=3D=3D

As already said, the corrections are not part of the initial release =
into the FreeBSD ports, for this one it was too late. The man file on =
GitHub is corrected already.

Best regards

Rolf




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?DA5B5C46-9505-4A3E-948A-7392844F21C3>