Date: Fri, 5 Aug 2016 14:15:37 +0800 From: Julian Elischer <julian@freebsd.org> To: "Dr. Rolf Jansen" <rj@obsigna.com>, ipfw mailing list <ipfw@freebsd.org> Cc: Ian Smith <smithi@nimnet.asn.au> Subject: Re: your thoughts on a particualar ipfw action. Message-ID: <b0fb28b7-0a8b-e600-2f1f-c9933dcb643a@freebsd.org> In-Reply-To: <B26AAEC0-593A-46D9-A22F-F6B4B78E7E8E@obsigna.com> References: <20160805024301.H56585@sola.nimnet.asn.au> <B26AAEC0-593A-46D9-A22F-F6B4B78E7E8E@obsigna.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 5/08/2016 2:22 AM, Dr. Rolf Jansen wrote:
>
> I am completely free of passions on this CC encoding thingy. I won't use this feature anyway. Please, may I suggest that the experts of the ipfw community come to an agreement, and I then I will change the implementation accordingly.
>
> Another possibility could be to attach the desired rule numbers directly to the country codes in the argument of the -t option, How about:
>
> geoip -t AU=50000:RU=50010:US=50020:BR=50030
>
> The present behaviour would be kept without attached numbers. Please let me know your choices. Furthermore, if the new ipfw allows for more sophisticated table construction directives, that could be beneficial for country code based table processing, please advice.
>
>>
>> Which has a munimum value of 0 (AA) and maximum of 25 * 26 + 25 = 675,
>> so at a spacing of 10 (less would do, but room for at least a couple in
>> between for patching) is a much smaller range of 0 .. 6750, plus offset,
>> potentially less if step size were also optional.
> I will be ready to change the encoding scheme to anything on which the community will have been agreed upon.
>
>
I think you very first idea is best
geoip -t AU:US:DE -n ${GEO_TABLE} -v ${ALLOW_VALUE} |ipfw -q /dev/stdin
we can embed that into scripts any way we want.
let's call this "done", drop it into a port and get onto more
productive things..
thanks for all the work and I already have a use for this in my home
network..
My "home" network spreads over 2 continents with VPNs etc and I
sometimes want to make sure that reaching certain sites only happens
from the exit point near the destination, due to geo blocking. I think
using geo-ip to sidestep geo blocking will be a perfect use.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?b0fb28b7-0a8b-e600-2f1f-c9933dcb643a>