On Thu, 28 Jul 2016 23:21:01 -0300, Dr. Rolf Jansen wrote: > Am 27.07.2016 um 12:31 schrieb Julian Elischer <jul...@freebsd.org>: [..] >> wow, wonderful!
>> with that tool, and ipfw tables we have a fully functional geo >> blocking/munging solution in about 4 lines of shell script. > Unfortunately, I finally discovered that ipfw tables as they are, are > unsuitable for the given purpose, because for some reason ipfw > mangles about 20 % of the passed IP address/masklen pairs. > For example: > # ipfw table 1 add 201.222.20.0/20 > # ipfw table 1 list > --> 201.222.16.0/20 0 > $ geoip 201.222.20.1 > --> 201.222.20.1 in 201.222.20.0-201.222.31.255 in BR > $ geoip 201.222.16.1 > --> 201.222.16.1 in 201.222.16.0-201.222.19.255 in AR Just to add to what Julian and Lee observed, testing IPs at <http://www.viewdns.info/whois/?domain=201.222.20.1> (sourced from LACNIC thence whois.registro.br) inetnum: 201.222.20/22 aut-num: AS61902 abuse-c: CSJ45 owner: Bahialink - Technology ownerid: 004.724.687/0001-69 country: BR So the geoip result for 201.222.20.1 is just wrong - it should return 201.222.20.0 - 201.222.23.255 (ie, /22) and not 201.222.16.0 - 201.222.31.255 (ie, /20) While the range for 201.222.16.1 is in fact a /22: <http://www.viewdns.info/whois/?domain=201.222.16.1> [..] inetnum: 201.222.16/22 status: allocated aut-num: N/A owner: G2KHosting S.A. ownerid: AR-GKSA-LACNIC responsible: Mauro Ferraro address: Maipu, 33, address: 2900 - San Nicolas de los Arroyos - BA country: AR > Effectively, I asked ipfw to add an IP-range of Brazil to table 1, > but it actually added another one which belongs to Argentina. This > doesn't make too much sense, does it? Not if geoip is returning the wrong address range for 201.222.20.1, no. > For the time being I switched my servers back to geo-blocking with > the divert filter daemon. I don't know what's wrong or where, just that it is .. How are you getting from geoip's IP range to /maskbits? cheers, Ian _______________________________________________ freebsd-ipfw@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"