> Am 27.07.2016 um 12:31 schrieb Julian Elischer <jul...@freebsd.org>: > On 27/07/2016 9:36 PM, Dr. Rolf Jansen wrote: >>> Am 26.07.2016 um 23:03 schrieb Julian Elischer <jul...@freebsd.org>: >>> On 27/07/2016 3:06 AM, Dr. Rolf Jansen wrote: >>>> There is another tool called geoip , that I uploaded to GitHub, and that I >>>> use for looking up country codes by IP addresses on the command line. >>>> >>>> https://github.com/cyclaero/ipdb/blob/master/geoip.c >>>> >>>> This one could easily be extended to produce sorted IP ranges per CC that >>>> could be fed into tables of ipfw. I am thinking of adding a command line >>>> option for specifying CC's for which the IP ranges should be exported, >>>> something like: >>>> >>>> geoip -e DE:BR:US:IT:FR:ES >>>> >>>> And this could print sorted IP-Ranges belonging to the listed countries. >>>> For this purpose, what would be the ideal format for directly feeding the >>>> produced output into ipfw tables? >>> The format for using tables directly is the same as that used for routing >>> tables. >>> … >>> table 5 add 1.1.1.0/32 1000 >>> … >>> your application becomes an application for configuring the firewall. >>> (which you do by feeding commands down a pipe to ipfw, which is started as >>> 'ipfw -q /dev/stdin') >> I finished adding a second usage form for the geoip tool, namely generation >> of ipfw table construction directives filtered by country codes. > wow, wonderful! > > with that tool, and ipfw tables we have a fully functional geo > blocking/munging solution in about 4 lines of shell script.
Unfortunately, I finally discovered that ipfw tables as they are, are unsuitable for the given purpose, because for some reason ipfw mangles about 20 % of the passed IP address/masklen pairs. For example: # ipfw table 1 add 201.222.20.0/20 # ipfw table 1 list --> 201.222.16.0/20 0 $ geoip 201.222.20.1 --> 201.222.20.1 in 201.222.20.0-201.222.31.255 in BR $ geoip 201.222.16.1 --> 201.222.16.1 in 201.222.16.0-201.222.19.255 in AR Effectively, I asked ipfw to add an IP-range of Brazil to table 1, but it actually added another one which belongs to Argentina. This doesn't make too much sense, does it? For the time being I switched my servers back to geo-blocking with the divert filter daemon. Best regards Rolf _______________________________________________ freebsd-ipfw@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
