On 2016-07-27 23:15, Dr. Rolf Jansen wrote: >> Am 27.07.2016 um 17:08 schrieb olli hauer <oha...@gmx.de>: >> On 2016-07-27 15:36, Dr. Rolf Jansen wrote: >>> >>> I finished adding a second usage form for the geoip tool, namely generation >>> of ipfw table construction directives filtered by country codes. >>> >>> ______________ >>> $ geoip -h >>> geoip v1.0.1 (16), Copyright © 2016 Dr. Rolf Jansen >>> >>> Usage: >>> >>> 1) look-up the country code belonging to an IPv4 address given by the last >>> command line argument: >>> >>> geoip [-r bstfile] [-h] <dotted IPv4 address> >>> <IPv4 address> a dotted IPv4 address to be looked-up. >>> >>> 2) generate a sorted list of IPv4 address/masklen pairs per country code, >>> formatted as ipfw table construction directives: >>> >>> geoip -t [CC:DD:EE:..] [-n table number] [-v table value] [-r bstfile] >>> [-h] >>> >>> -t [CC:DD:EE:..] output all IPv4 address/masklen pairs belonging to >>> the listed countries, given by 2 letter >>> capital country codes, separated by colon. An empty >>> CC list means any country code. >>> -n table number the ipfw table number between 0 and 65534 [default: >>> 0]. >>> -v table value the 32-bit unsigned value of the ipfw table entry >>> [default: 0]. >>> >>> valid arguments in both usage forms: >>> >>> -r bstfile the path to the binary file with the consolidated IP >>> ranges that has been. >>> generated by the 'ipdb' tool [default: >>> /usr/local/etc/ipdb/IPRanges/ipcc.bst]. >>> -h show these usage instructions. >>> ______________ >>> >>> With that, the ipfw configuration script may contain something alike: >>> >>> … >>> # allow only web access from DE, BR, US: >>> /usr/local/bin/geoip -t DE:BR:US -n 7 | /sbin/ipfw -q /dev/stdin >>> /sbin/ipfw -q add 70 deny tcp from not table\(7\) to any 80,443 in recv >>> WAN_if setup >>> … >>> >>> OR, the other way around: >>> … >>> # deny web access from certain disgraceful regions: >>> /usr/local/bin/geoip -t KO:TR:SA:RU:GB -n 66 | /sbin/ipfw -q /dev/stdin >>> /sbin/ipfw -q add 70 allow tcp from not table\(66\) to any 80,443 in >>> recv WAN_if setup >>> … >>> ____________ >> >> Nice work :) >> >> Now it is also possible to use geoip to create files usable for pf. >> (just pipe the output through sed -e 's/table 0 add //') >> >> Perhaps the following diff for Makefile is useful. >> - use PREFIX instead hard coded path >> - use "install -s" instead "strip -x -o" >> - use "install -m" instead "cp ; chmod" > > I changed the Makefile according to your suggestions, and I added another > command line option to the geoip tool: > > … > -p plain IP table generation, i.e. without ipfw construction > directives, -n and -v flags are ignored. > … > > The changes are already uploaded to GitHub.
Thank you :) -- Regards, olli _______________________________________________ freebsd-ipfw@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
