From owner-freebsd-ipfw@freebsd.org Fri Aug 5 06:15:53 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4B8F4BADE16 for ; Fri, 5 Aug 2016 06:15:53 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 36D171498 for ; Fri, 5 Aug 2016 06:15:53 +0000 (UTC) (envelope-from julian@freebsd.org) Received: by mailman.ysv.freebsd.org (Postfix) id 363B5BADE15; Fri, 5 Aug 2016 06:15:53 +0000 (UTC) Delivered-To: ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 35EFABADE14 for ; Fri, 5 Aug 2016 06:15:53 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "vps1.elischer.org", Issuer "CA Cert Signing Authority" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 14D611497 for ; Fri, 5 Aug 2016 06:15:52 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from Julian-MBP3.local (ppp121-45-226-8.lns20.per1.internode.on.net [121.45.226.8]) (authenticated bits=0) by vps1.elischer.org (8.15.2/8.15.2) with ESMTPSA id u756Fh0g004802 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Thu, 4 Aug 2016 23:15:48 -0700 (PDT) (envelope-from julian@freebsd.org) Subject: Re: your thoughts on a particualar ipfw action. To: "Dr. Rolf Jansen" , ipfw mailing list References: <20160805024301.H56585@sola.nimnet.asn.au> Cc: Ian Smith From: Julian Elischer Message-ID: Date: Fri, 5 Aug 2016 14:15:37 +0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Aug 2016 06:15:53 -0000 On 5/08/2016 2:22 AM, Dr. Rolf Jansen wrote: > > I am completely free of passions on this CC encoding thingy. I won't use this feature anyway. Please, may I suggest that the experts of the ipfw community come to an agreement, and I then I will change the implementation accordingly. > > Another possibility could be to attach the desired rule numbers directly to the country codes in the argument of the -t option, How about: > > geoip -t AU=50000:RU=50010:US=50020:BR=50030 > > The present behaviour would be kept without attached numbers. Please let me know your choices. Furthermore, if the new ipfw allows for more sophisticated table construction directives, that could be beneficial for country code based table processing, please advice. > >> >> Which has a munimum value of 0 (AA) and maximum of 25 * 26 + 25 = 675, >> so at a spacing of 10 (less would do, but room for at least a couple in >> between for patching) is a much smaller range of 0 .. 6750, plus offset, >> potentially less if step size were also optional. > I will be ready to change the encoding scheme to anything on which the community will have been agreed upon. > > I think you very first idea is best geoip -t AU:US:DE -n ${GEO_TABLE} -v ${ALLOW_VALUE} |ipfw -q /dev/stdin we can embed that into scripts any way we want. let's call this "done", drop it into a port and get onto more productive things.. thanks for all the work and I already have a use for this in my home network.. My "home" network spreads over 2 continents with VPNs etc and I sometimes want to make sure that reaching certain sites only happens from the exit point near the destination, due to geo blocking. I think using geo-ip to sidestep geo blocking will be a perfect use.