Date: Wed, 27 Jul 2016 10:36:05 -0300 From: "Dr. Rolf Jansen" <rj@obsigna.com> To: freebsd-ipfw@freebsd.org Cc: Julian Elischer <julian@freebsd.org> Subject: Re: ipfw divert filter for IPv4 geo-blocking Message-ID: <C0CC7001-16FE-40BF-A96A-1FA51A0AFBA7@obsigna.com> In-Reply-To: <4d76a492-17ae-cbff-f92f-5bbbb1339aad@freebsd.org> References: <61DFB3E2-6E34-4EEA-8AC6-70094CEACA72@cyclaero.com> <CAHu1Y739PvFqqEKE74BjzgLa7NNG6Kh55NPnU5MaA-8HsrjkFw@mail.gmail.com> <4D047727-F7D0-4BEE-BD42-2501F44C9550@obsigna.com> <c2cd797d-66db-8673-af4e-552dfa916a76@freebsd.org> <9641D08A-0501-4AA2-9DF6-D5AFE6CB2975@obsigna.com> <4d76a492-17ae-cbff-f92f-5bbbb1339aad@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> Am 26.07.2016 um 23:03 schrieb Julian Elischer <julian@freebsd.org>: > On 27/07/2016 3:06 AM, Dr. Rolf Jansen wrote: >> There is another tool called geoip , that I uploaded to GitHub, and = that I use for looking up country codes by IP addresses on the command = line. >>=20 >> https://github.com/cyclaero/ipdb/blob/master/geoip.c >>=20 >> This one could easily be extended to produce sorted IP ranges per CC = that could be fed into tables of ipfw. I am thinking of adding a command = line option for specifying CC's for which the IP ranges should be = exported, something like: >>=20 >> geoip -e DE:BR:US:IT:FR:ES >>=20 >> And this could print sorted IP-Ranges belonging to the listed = countries. For this purpose, what would be the ideal format for directly = feeding the produced output into ipfw tables? > The format for using tables directly is the same as that used for = routing tables. > =E2=80=A6 > table 5 add 1.1.1.0/32 1000 > =E2=80=A6 > your application becomes an application for configuring the firewall. > (which you do by feeding commands down a pipe to ipfw, which is = started as 'ipfw -q /dev/stdin') I finished adding a second usage form for the geoip tool, namely = generation of ipfw table construction directives filtered by country = codes. ______________ $ geoip -h geoip v1.0.1 (16), Copyright =C2=A9 2016 Dr. Rolf Jansen Usage: 1) look-up the country code belonging to an IPv4 address given by the = last command line argument: geoip [-r bstfile] [-h] <dotted IPv4 address> <IPv4 address> a dotted IPv4 address to be looked-up. 2) generate a sorted list of IPv4 address/masklen pairs per country = code, formatted as ipfw table construction directives: geoip -t [CC:DD:EE:..] [-n table number] [-v table value] [-r = bstfile] [-h] -t [CC:DD:EE:..] output all IPv4 address/masklen pairs belonging = to the listed countries, given by 2 letter capital country codes, separated by colon. An = empty CC list means any country code. -n table number the ipfw table number between 0 and 65534 = [default: 0]. -v table value the 32-bit unsigned value of the ipfw table = entry [default: 0]. valid arguments in both usage forms: -r bstfile the path to the binary file with the = consolidated IP ranges that has been. generated by the 'ipdb' tool [default: = /usr/local/etc/ipdb/IPRanges/ipcc.bst]. -h show these usage instructions. ______________ With that, the ipfw configuration script may contain something alike: =E2=80=A6 # allow only web access from DE, BR, US: /usr/local/bin/geoip -t DE:BR:US -n 7 | /sbin/ipfw -q /dev/stdin /sbin/ipfw -q add 70 deny tcp from not table\(7\) to any 80,443 in = recv WAN_if setup =E2=80=A6 OR, the other way around: =E2=80=A6 # deny web access from certain disgraceful regions: /usr/local/bin/geoip -t KO:TR:SA:RU:GB -n 66 | /sbin/ipfw -q = /dev/stdin /sbin/ipfw -q add 70 allow tcp from not table\(66\) to any 80,443 in = recv WAN_if setup =E2=80=A6 ____________ Best regards Rolf
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?C0CC7001-16FE-40BF-A96A-1FA51A0AFBA7>