Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 5 Aug 2016 09:10:23 -0300
From:      "Dr. Rolf Jansen" <rj@obsigna.com>
To:        freebsd-ipfw@freebsd.org
Subject:   Re: your thoughts on a particualar ipfw action.
Message-ID:  <F3D40C57-831D-4A7C-B84B-8DA34E4DC701@obsigna.com>
In-Reply-To: <7486c7ce-49db-b6b9-a6bb-13f04b4ce6d6@freebsd.org>
References:  <20160805024301.H56585@sola.nimnet.asn.au> <B26AAEC0-593A-46D9-A22F-F6B4B78E7E8E@obsigna.com> <7486c7ce-49db-b6b9-a6bb-13f04b4ce6d6@freebsd.org>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
> Am 05.08.2016 um 02:44 schrieb Julian Elischer <julian@freebsd.org>:
> On 5/08/2016 2:22 AM, Dr. Rolf Jansen wrote:
>> I am completely free of passions on this CC encoding thingy. I won't =
use this feature anyway. Please, may I suggest that the experts of the =
ipfw community come to an agreement, and I then I will change the =
implementation accordingly.
>>=20
>> Another possibility could be to attach the desired rule numbers =
directly to the country codes in the argument of the -t option, How =
about:
>>=20
>>   geoip -t AU=3D50000:RU=3D50010:US=3D50020:BR=3D50030
>>=20
>> The present behaviour would be kept without attached numbers. Please =
let me know your choices. Furthermore, if the new ipfw allows for more =
sophisticated table construction directives, that could be beneficial =
for country code based table processing, please advice.
>=20
> I can hear the exasperation in your writing :-)

Not exactly 'exasperation'. Moving targets are always kind of unpleasant =
- at least for me, perhaps I am not a sufficiently patient hunter :-)

> I've lost track..
> Was the present behaviour just a single value? or a generated number =
with -x offset? (not sure if you actually added that or just described =
it).

I meant, geoip would continue allowing a -t option argument without =
numbers, for example -t AU:RU:US:BR, and in that case it would continue =
with its present behaviour (mutually exclusive either -v XOR -x):

-v <fixed value> # default 0
-x <offset>      # in val =3D (C1-60)*1000 + C2*10 + offset

The -v and -x options as above are already on GitHub, the x-formula can =
be changed quickly.=20

> your "US=3D50020" idea is nice but a lot of work I think for  you.

Not that much work. I like this one as well, because this is the most =
explicit way, that I can imagine, of associating a rule/action number =
with a country code.

I figure, that any kind of x-formula let people shoot themselves in the =
foot at one day or the other. Imagine you set up your sophisticated rule =
set in 2016 and in 2017 a colleague is asked by the boss to add another =
country code. The trouble may start by she/he forgets to add an action =
rule for the implicitly generated table argument, and it does not end =
with a possible violation of the implicitly reserved rule number range.

> I guess you would do it with script
> geoip -t US=3D${LINE_US} |ipfw -q /dev/stdin
> ipfw add ${LINE_US} drop all tcp from any to any 80
> ipfw add $((${LINE_US} + 1)) skipto ${FINISH_UP}

Yes, why not? The nice thing of the "CC=3Dnnnnn:..." feature is, that it =
is already useful as is, and that it is open for any further =
sophistication with shell script magics. =20

> probably in a shell function
> it would also allow you to put 'action numbers' rather than line =
numbers as it doesn't  interpret the values, just passes them through.
>=20
> On the other hand the same thing can be achieved by embedding geoip in =
a loop in a script.
> I think we should just let you get on with your life and be happy with =
what you have given us.  mapping a set of country codes to a number. I =
can always make more complicated setups using that and 15 minutes of =
shell script.

Yes, for us this is not a big deal. However, once this stuff is in the =
ports, I have to take into account the work of answering questions from =
the non-enlightened folks, on how to achieve the mapping between rule =
numbers and country codes. Perhaps, it is less hassle to simply add the =
"CC=3Dnnnnn:..." feature and move on.


BTW:

In the course of preparing the packet for the ports, I am working now on =
a man file for the geoip db utilities (geoip, ipdb and ipdb-update.sh). =
I want to put it to section 1 - General Commands, OK?

Shall I remove the geod ipfw divert filter daemon from the distribution =
for the ports?

My initial incentive was Geo-blocking. However, I learned from your VPN =
usage example (in your other message), that these utilities may quite =
well serve for other objectives. Now, I am looking for a package title =
that does suggest a wider range of applications.

How about:

  "Utilities for IP based Geo-blocking/routing with IPFW"


Best regards

Rolf




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?F3D40C57-831D-4A7C-B84B-8DA34E4DC701>