On Wed, Dec 07, 2022 at 10:28:27AM +1100, Damian McGuckin wrote: > > Has anybody created rules such as this and if so, do you have an example?
As others have already indicated, the PF way to do anything like this would be to generate a list of addresses and networks you want to address (block in this case), feed that list into a table and make the table the criteria for a blocking rule. I remembered that a few years back I was asked to do something along those lines, I forget the exact reason why, but anyway I decided that the most reasonable way to determine which IP addresses or ranges belong to a certain country would be to fetch the most up to date data from the things RIPE publish. My tiny writeup which in fact contains the entire script for massaging RIPE's data into something you can feed into a PF table survived a couple of job changes and can now be found at https://nxdomain.no/~peter/ripe2cidr_country.sh.txt -- as it says in the script itself, a trivial hack. And I might add, it comes with *NO* warranties of any kind. It is for example quite conceivable that an organization with premises in more than one country might want to split their allocations not strictly according to national borders. - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
