On 27/07/2016 9:36 PM, Dr. Rolf Jansen wrote:
Am 26.07.2016 um 23:03 schrieb Julian Elischer <[email protected]>:
On 27/07/2016 3:06 AM, Dr. Rolf Jansen wrote:
There is another tool called geoip , that I uploaded to GitHub, and that I use
for looking up country codes by IP addresses on the command line.
https://github.com/cyclaero/ipdb/blob/master/geoip.c
This one could easily be extended to produce sorted IP ranges per CC that could
be fed into tables of ipfw. I am thinking of adding a command line option for
specifying CC's for which the IP ranges should be exported, something like:
geoip -e DE:BR:US:IT:FR:ES
And this could print sorted IP-Ranges belonging to the listed countries. For
this purpose, what would be the ideal format for directly feeding the produced
output into ipfw tables?
The format for using tables directly is the same as that used for routing
tables.
…
table 5 add 1.1.1.0/32 1000
…
your application becomes an application for configuring the firewall.
(which you do by feeding commands down a pipe to ipfw, which is started as
'ipfw -q /dev/stdin')
I finished adding a second usage form for the geoip tool, namely generation of
ipfw table construction directives filtered by country codes.
wow, wonderful!
with that tool, and ipfw tables we have a fully functional geo
blocking/munging solution in about 4 lines of shell script.
______________
$ geoip -h
geoip v1.0.1 (16), Copyright © 2016 Dr. Rolf Jansen
Usage:
1) look-up the country code belonging to an IPv4 address given by the last
command line argument:
geoip [-r bstfile] [-h] <dotted IPv4 address>
<IPv4 address> a dotted IPv4 address to be looked-up.
2) generate a sorted list of IPv4 address/masklen pairs per country code,
formatted as ipfw table construction directives:
geoip -t [CC:DD:EE:..] [-n table number] [-v table value] [-r bstfile] [-h]
-t [CC:DD:EE:..] output all IPv4 address/masklen pairs belonging to the
listed countries, given by 2 letter
capital country codes, separated by colon. An empty CC
list means any country code.
-n table number the ipfw table number between 0 and 65534 [default: 0].
-v table value the 32-bit unsigned value of the ipfw table entry
[default: 0].
valid arguments in both usage forms:
-r bstfile the path to the binary file with the consolidated IP
ranges that has been.
generated by the 'ipdb' tool [default:
/usr/local/etc/ipdb/IPRanges/ipcc.bst].
-h show these usage instructions.
______________
With that, the ipfw configuration script may contain something alike:
…
# allow only web access from DE, BR, US:
/usr/local/bin/geoip -t DE:BR:US -n 7 | /sbin/ipfw -q /dev/stdin
/sbin/ipfw -q add 70 deny tcp from not table\(7\) to any 80,443 in recv
WAN_if setup
…
OR, the other way around:
…
# deny web access from certain disgraceful regions:
/usr/local/bin/geoip -t KO:TR:SA:RU:GB -n 66 | /sbin/ipfw -q /dev/stdin
/sbin/ipfw -q add 70 allow tcp from not table\(66\) to any 80,443 in recv
WAN_if setup
…
____________
Best regards
Rolf
_______________________________________________
[email protected] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "[email protected]"
