Re: ipfw divert filter for IPv4 geo-blocking

2016-08-01 Thread Julian Elischer
On 1/08/2016 7:16 PM, Dr. Rolf Jansen wrote: Am 01.08.2016 um 03:17 schrieb Julian Elischer : On 30/07/2016 10:17 PM, Dr. Rolf Jansen wrote: I finished the work on CIDR conformity of the IP ranges tables generated by the tool geoip. The main constraint is that the start and

Re: ipfw divert filter for IPv4 geo-blocking

2016-08-01 Thread Dr. Rolf Jansen
> Am 01.08.2016 um 03:17 schrieb Julian Elischer : > On 30/07/2016 10:17 PM, Dr. Rolf Jansen wrote: >> I finished the work on CIDR conformity of the IP ranges tables generated by >> the tool geoip. The main constraint is that the start and end address of an >> IP block given

Re: ipfw divert filter for IPv4 geo-blocking

2016-08-01 Thread Julian Elischer
On 30/07/2016 10:17 PM, Dr. Rolf Jansen wrote: Am 29.07.2016 um 10:23 schrieb Dr. Rolf Jansen : Am 29.07.2016 um 06:50 schrieb Julian Elischer : On 29/07/2016 5:22 PM, Julian Elischer wrote: On 29/07/2016 4:53 PM, Dr. Rolf Jansen wrote: Am 28.07.2016 um

Re: ipfw divert filter for IPv4 geo-blocking

2016-08-01 Thread Julian Elischer
On 30/07/2016 10:17 PM, Dr. Rolf Jansen wrote: I am still a little bit amazed how ipfw come to accept incorrect CIDR ranges and arbitrarily moves the start/end addresses in order to achieve CIDR conformity, and that without any further notice, and that given that ipfw can be considered as

Re: ipfw divert filter for IPv4 geo-blocking

2016-07-31 Thread Dr. Rolf Jansen
> Am 31.07.2016 um 15:38 schrieb Ian Smith : > On Sat, 30 Jul 2016 11:17:13 -0300, Dr. Rolf Jansen wrote: >> I finished the work on CIDR conformity of the IP ranges tables >> generated by the tool geoip. The main constraint is that the start >> and end address of an IP

Re: ipfw divert filter for IPv4 geo-blocking

2016-07-31 Thread Ian Smith
On Sat, 30 Jul 2016 11:17:13 -0300, Dr. Rolf Jansen wrote: > I finished the work on CIDR conformity of the IP ranges tables > generated by the tool geoip. The main constraint is that the start > and end address of an IP block given by the delegation files MUST BE > PRESERVED during the

Re: ipfw divert filter for IPv4 geo-blocking

2016-07-30 Thread Dr. Rolf Jansen
> Am 29.07.2016 um 10:23 schrieb Dr. Rolf Jansen : >> Am 29.07.2016 um 06:50 schrieb Julian Elischer : >> On 29/07/2016 5:22 PM, Julian Elischer wrote: >>> On 29/07/2016 4:53 PM, Dr. Rolf Jansen wrote: > Am 28.07.2016 um 23:48 schrieb Lee Brown

Re: ipfw divert filter for IPv4 geo-blocking

2016-07-29 Thread Dr. Rolf Jansen
> Am 29.07.2016 um 06:50 schrieb Julian Elischer : > On 29/07/2016 5:22 PM, Julian Elischer wrote: >> On 29/07/2016 4:53 PM, Dr. Rolf Jansen wrote: Am 28.07.2016 um 23:48 schrieb Lee Brown : That makes sense to me. Your /20 range encompasses

Re: ipfw divert filter for IPv4 geo-blocking

2016-07-29 Thread Ian Smith
On Thu, 28 Jul 2016 23:21:01 -0300, Dr. Rolf Jansen wrote: > Am 27.07.2016 um 12:31 schrieb Julian Elischer : [..] >> wow, wonderful! >> with that tool, and ipfw tables we have a fully functional geo >> blocking/munging solution in about 4 lines of shell script. >

Re: ipfw divert filter for IPv4 geo-blocking

2016-07-28 Thread Julian Elischer
On 29/07/2016 10:48 AM, Lee Brown wrote: That makes sense to me. Your /20 range encompasses 201.222.16.0 - 201.222.31.255. If you want 201.222.20.0-201.222.31.255, you'll need 3 ranges: whether it makes sense depends on whether you add the other ranges as well with the default result. Your

Re: ipfw divert filter for IPv4 geo-blocking

2016-07-28 Thread Lee Brown
That makes sense to me. Your /20 range encompasses 201.222.16.0 - 201.222.31.255. If you want 201.222.20.0-201.222.31.255, you'll need 3 ranges: 201.222.20.0/22 (201.222.20.0-201.222.23.255) 201.222.24.0/22 (201.222.24.0-201.222.27.255) 201.222.28.0/22 (201.222.28.0-201.222.31.255) this

Re: ipfw divert filter for IPv4 geo-blocking

2016-07-28 Thread Dr. Rolf Jansen
> Am 27.07.2016 um 12:31 schrieb Julian Elischer : > On 27/07/2016 9:36 PM, Dr. Rolf Jansen wrote: >>> Am 26.07.2016 um 23:03 schrieb Julian Elischer : >>> On 27/07/2016 3:06 AM, Dr. Rolf Jansen wrote: There is another tool called geoip , that I

Re: ipfw divert filter for IPv4 geo-blocking

2016-07-27 Thread olli hauer
On 2016-07-27 23:15, Dr. Rolf Jansen wrote: >> Am 27.07.2016 um 17:08 schrieb olli hauer : >> On 2016-07-27 15:36, Dr. Rolf Jansen wrote: >>> >>> I finished adding a second usage form for the geoip tool, namely generation >>> of ipfw table construction directives filtered by

Re: ipfw divert filter for IPv4 geo-blocking

2016-07-27 Thread Dr. Rolf Jansen
> Am 27.07.2016 um 17:08 schrieb olli hauer : > On 2016-07-27 15:36, Dr. Rolf Jansen wrote: >> >> I finished adding a second usage form for the geoip tool, namely generation >> of ipfw table construction directives filtered by country codes. >> >> __ >> $ geoip -h >>

Re: ipfw divert filter for IPv4 geo-blocking

2016-07-27 Thread olli hauer
On 2016-07-27 15:36, Dr. Rolf Jansen wrote: >> Am 26.07.2016 um 23:03 schrieb Julian Elischer : >> On 27/07/2016 3:06 AM, Dr. Rolf Jansen wrote: >>> There is another tool called geoip , that I uploaded to GitHub, and that I >>> use for looking up country codes by IP addresses

Re: ipfw divert filter for IPv4 geo-blocking

2016-07-27 Thread Julian Elischer
trimming On 27/07/2016 11:51 PM, Ian Smith wrote: On Wed, 27 Jul 2016 10:03:01 +0800, Julian Elischer wrote: [...] > country without changing everything else. > (the downside is that dynamic skipto's are not very efficient as they do a > linear search of the rules, where static

Re: ipfw divert filter for IPv4 geo-blocking

2016-07-27 Thread Ian Smith
On Wed, 27 Jul 2016 10:03:01 +0800, Julian Elischer wrote: > On 27/07/2016 3:06 AM, Dr. Rolf Jansen wrote: > > > Am 26.07.2016 um 13:23 schrieb Julian Elischer : > > > On 26/07/2016 1:41 AM, Dr. Rolf Jansen wrote: > > > > Once a week, the IP ranges are compiled from

Re: ipfw divert filter for IPv4 geo-blocking

2016-07-27 Thread Julian Elischer
On 27/07/2016 9:36 PM, Dr. Rolf Jansen wrote: Am 26.07.2016 um 23:03 schrieb Julian Elischer : On 27/07/2016 3:06 AM, Dr. Rolf Jansen wrote: There is another tool called geoip , that I uploaded to GitHub, and that I use for looking up country codes by IP addresses on the

Re: ipfw divert filter for IPv4 geo-blocking

2016-07-27 Thread Dr. Rolf Jansen
> Am 26.07.2016 um 23:03 schrieb Julian Elischer : > On 27/07/2016 3:06 AM, Dr. Rolf Jansen wrote: >> There is another tool called geoip , that I uploaded to GitHub, and that I >> use for looking up country codes by IP addresses on the command line. >> >>

Re: ipfw divert filter for IPv4 geo-blocking

2016-07-26 Thread Julian Elischer
On 27/07/2016 3:06 AM, Dr. Rolf Jansen wrote: Am 26.07.2016 um 13:23 schrieb Julian Elischer : On 26/07/2016 1:41 AM, Dr. Rolf Jansen wrote: Once a week, the IP ranges are compiled from original sources into a binary sorted table, containing as of today 83162 consolidated

Re: ipfw divert filter for IPv4 geo-blocking

2016-07-26 Thread Dr. Rolf Jansen
> Am 26.07.2016 um 13:23 schrieb Julian Elischer : > On 26/07/2016 1:41 AM, Dr. Rolf Jansen wrote: >> Once a week, the IP ranges are compiled from original sources into a binary >> sorted table, containing as of today 83162 consolidated range/cc pairs. On >> starting-up, the

Re: ipfw divert filter for IPv4 geo-blocking

2016-07-26 Thread Michael Sierchio
On Tue, Jul 26, 2016 at 9:26 AM, Julian Elischer wrote: table 1 { DE, NL } -> 1, >> { US, UK } -> 10100 >> table 2 { CN, KO, TR } -> 2 >> > why multiple tables? > if you load the table at once you can assign a country code as the > tablearg for

Re: ipfw divert filter for IPv4 geo-blocking

2016-07-26 Thread Julian Elischer
On 26/07/2016 1:01 AM, Jan Bramkamp wrote: On 25/07/16 16:28, Dr. Rolf Jansen wrote: I have written a ipfw divert filter daemon for IPv4 geo-blocking. It is working flawlessly on two server installations since a week. Anyway, I am still in doubt whether I do the blocking in the correct way

Re: ipfw divert filter for IPv4 geo-blocking

2016-07-26 Thread Julian Elischer
On 26/07/2016 1:41 AM, Dr. Rolf Jansen wrote: Am 25.07.2016 um 12:47 schrieb Michael Sierchio : Writing a divert daemon is a praiseworthy project, but I think you could do this without sending packets to user land. You could use tables - … Am 25.07.2016 um 14:01 schrieb

Re: ipfw divert filter for IPv4 geo-blocking

2016-07-25 Thread Dr. Rolf Jansen
> Am 25.07.2016 um 12:47 schrieb Michael Sierchio : > > Writing a divert daemon is a praiseworthy project, but I think you could do > this without sending packets to user land. > > You could use tables - … > Am 25.07.2016 um 14:01 schrieb Jan Bramkamp : >

Re: ipfw divert filter for IPv4 geo-blocking

2016-07-25 Thread Jan Bramkamp
On 25/07/16 16:28, Dr. Rolf Jansen wrote: I have written a ipfw divert filter daemon for IPv4 geo-blocking. It is working flawlessly on two server installations since a week. Anyway, I am still in doubt whether I do the blocking in the correct way. Once the filter receives a packet from

Re: ipfw divert filter for IPv4 geo-blocking

2016-07-25 Thread Michael Sierchio
Rolf Jansen" <r...@cyclaero.com> wrote: > I have written a ipfw divert filter daemon for IPv4 geo-blocking. It is > working flawlessly on two server installations since a week. > > Anyway, I am still in doubt whether I do the blocking in the correct way. > Once th

ipfw divert filter for IPv4 geo-blocking

2016-07-25 Thread Dr. Rolf Jansen
I have written a ipfw divert filter daemon for IPv4 geo-blocking. It is working flawlessly on two server installations since a week. Anyway, I am still in doubt whether I do the blocking in the correct way. Once the filter receives a packet from the respective divert socket it looks up