On 2022-12-07, Peter N. M. Hansteen <pe...@bsdly.net> wrote: > On Wed, Dec 07, 2022 at 10:28:27AM +1100, Damian McGuckin wrote: >> >> Has anybody created rules such as this and if so, do you have an example? > > As others have already indicated, the PF way to do anything like this would be > to generate a list of addresses and networks you want to address (block in > this case), > feed that list into a table and make the table the criteria for a blocking > rule. > > I remembered that a few years back I was asked to do something along those > lines, > I forget the exact reason why, but anyway I decided that the most reasonable > way > to determine which IP addresses or ranges belong to a certain country would be > to fetch the most up to date data from the things RIPE publish. > > My tiny writeup which in fact contains the entire script for massaging RIPE's > data into something you can feed into a PF table survived a couple of job > changes > and can now be found at https://nxdomain.no/~peter/ripe2cidr_country.sh.txt -- > as it says in the script itself, a trivial hack.
# 16777216 -> /8 (Not actually found in RIPE data but with ARIN who knows) btw there are /8's in the RIPE file now. Also prefix lengths smaller than /26, even down to single addresses, so the subst will need some tweaks to cover those. > It is for example quite conceivable that an organization with premises in more > than one country might want to split their allocations not strictly according > to national borders. And other specialities like anycast addresses, and as it's user-supplied data it can't be completely relied upon. It changes often too; people using this will want to arrange to keep it updated; allocations do change and can move between countries (and, these days, even between regions). It's likely that the output can be shrunk further by passing it through aggregate6 (in ports). -- Please keep replies on the mailing list.
