BLog

ImprintImpressum
PrivacyDatenschutz
DisclaimerHaftung
Downloads 

Geo-blocking at the Firewall

In general, access control by the firewall is established by selectors that can be attributed to incoming and outgoing IP-packets, like physical interfaces on which the packets are going, source and target IP addresses, protocol types, port numbers, content types and content, etc. The geo-location would be just another selector, but this information is not carried explicitly with the IP packets, however, it can be obtained using the source IP address as a key for looking-up the location in a geo-database. For example, besides other information, the country to which the IPv4 address 100.0.0.1 is delegated, can be obtained with the common unix tool whois:

$ whois 100.0.0.1
>>>>
...
NetRange:       100.0.0.0 - 100.41.255.255
CIDR:           100.32.0.0/13, 100.40.0.0/15, 100.0.0.0/11
NetName:        V4-VZO
NetHandle:      NET-100-0-0-0-1
Parent:         NET100 (NET-100-0-0-0-0)
NetType:        Direct Allocation
OriginAS:       AS19262
Organization:   MCI Communications Services, Inc. d/b/a Verizon Business (MCICS)
RegDate:        2010-12-28
Updated:        2016-05-17
Ref:            https://whois.arin.net/rest/net/NET-100-0-0-0-1

OrgName:        MCI Communications Services, Inc. d/b/a Verizon Business
OrgId:          MCICS
Address:        22001 Loudoun County Pkwy
City:           Ashburn
StateProv:      VA
PostalCode:     20147
Country:        US
...

whois does an online lookup in the databases of the 5 Regional Internet Registries (AFRINIC, APNIC, ARIN, LACNIC, RIPENCC), and this is the most reliable way to obtain the country code for an IP address, because the RIR’s are the authorities for internet number delegations.

Unfortunately, online database look-up is by far too slow for even thinking about being utilized on the firewall level, where IP packets need to be processed in a 10th or a 100th of a millisecond. Therefore, a locally maintained Geo-location database is indispensable in the given respect, and I uploaded the source code for the necessary tools for FreeBSD to GitHub — Tools for IP based Geo-blocking and Geo-routing at the firewall on FreeBSD.

The local Geo-location database

The idea is to obtain the authoritative Geo-location information from the 5 RIR’s, compile it into an optimized format suitable for quickly looking up the country codes of given IP addresses. This information is present in so called delegation statistics files on the ftp servers of each RIR, and APNIC, LACNIC and RIPENCC mirror these files of each of the other RIR’s on their servers as well, while ARIN and AFRINIC do not mirror the latest delegation statistics of the other RIR’s.

Said GitHub repository provides the source code of the tools and a shell script ipdb-update.sh which can be used for the purpose. Download the package from GitHub to your FreeBSD system, and as user root execute # make install from within the ipdb-tools directory.

Choose one of the three useful mirror sites, depending on where you are located:

As user root run the script ipdb-update.sh with the chosen mirror as the parameter, for example ftp.ripe.net:

# ipdb-update.sh ftp.ripe.net
>>>>
/usr/local/etc/ipdb/IPRanges/afrinic.md5      100% of   74  B  688 kBps
/usr/local/etc/ipdb/IPRanges/afrinic.dat      100% of  476 kB  361 kBps
/usr/local/etc/ipdb/IPRanges/apnic.md5        100% of   73  B  819 kBps
/usr/local/etc/ipdb/IPRanges/apnic.dat        100% of 5378 kB 1021 kBps
/usr/local/etc/ipdb/IPRanges/arin.md5         100% of   67  B   16 kBps
/usr/local/etc/ipdb/IPRanges/arin.dat         100% of 9095 kB 1065 kBps
/usr/local/etc/ipdb/IPRanges/lacnic.md5       100% of   74  B   24 kBps
/usr/local/etc/ipdb/IPRanges/lacnic.dat       100% of 2685 kB  837 kBps
/usr/local/etc/ipdb/IPRanges/ripencc.md5      100% of   74  B  539 kBps
/usr/local/etc/ipdb/IPRanges/ripencc.dat      100% of   12 MB 1144 kBps
ipdb v1.2b (103), Copyright © 2016-2018 Dr. Rolf Jansen
Processing RIR data files ...

 afrinic.dat  apnic.dat  arin.dat  lacnic.dat  ripencc.dat 

Total number of processed IP-Ranges = 139551
Total number of processed Segments  = 214070

This will download all the delegation statistics data files together with the respective MD5 verification hashes into /usr/local/etc/ipdb/IPRanges/. This directory will be created if it doesn't yet exist. If the downloads went smooth, the script starts the ipdb tool in order to generate the binary files with the consolidated IPv4 and IPv6 ranges vs. country codes and unique net segment owner ID’s right in the same go. Later, we may want to put above ipdb-update.sh command into a weekly cron job.

Now, check whether the database is ready by looking up some addresses using the ipup tool:

# ipup 172.217.29.196
172.217.29.196 -> 172.200.0.0 - 172.217.255.255 in US
      net segment 172.217.0.0 - 172.217.255.255 owned by 9d99e3f7d38d1b8026f2ebbea4017c9f

# ipup 2800:3f0:4001:807::2004
2800:3f0:4001:807::2004 -> 2800:3f0:0:0:0:0:0:0 - 2800:3f0:ffff:ffff:ffff:ffff:ffff:ffff in AR
               net segment 2800:3f0:0:0:0:0:0:0 - 2800:3f0:ffff:ffff:ffff:ffff:ffff:ffff owned by 58353

# ipup 2a00:1450:4001:819::2004 
2a00:1450:4001:819::2004 -> 2a00:1450:0:0:0:0:0:0 - 2a00:1457:ffff:ffff:ffff:ffff:ffff:ffff in IE
                net segment 2a00:1450:0:0:0:0:0:0 - 2a00:1457:ffff:ffff:ffff:ffff:ffff:ffff owned by 5594432b969d45afa76cf5c154a27b30

# ipup 141.33.17.2
141.33.17.2 -> 141.12.0.0 - 141.80.255.255 in DE
   net segment 141.33.0.0 - 141.33.255.255 owned by 484e554521f34a41beca6326c4ae8ecf

# ipup 192.168.1.1
192.168.1.1 not found.
192.168.1.1 not found.

Geo-blocking with ipfw

The ipup tool can generate tables of CIDR ranges for selected country codes and/or unique network segment owner ID’s which can be directly piped into ipfw.

# ipup -t DE:BR:CH -n 0 -4
table 0 add 2.160.0.0/12
table 0 add 2.200.0.0/13
table 0 add 2.208.0.0/13
table 0 add 2.240.0.0/13
table 0 add 5.1.64.0/19
table 0 add 5.1.96.0/21
table 0 add 5.1.112.0/21
table 0 add 5.1.120.0/21
table 0 add 5.1.128.0/17
table 0 add 5.4.0.0/14
...
table 0 add 217.195.32.0/20
table 0 add 217.196.176.0/20
table 0 add 217.197.80.0/20
table 0 add 217.197.128.0/21
table 0 add 217.197.208.0/20
table 0 add 217.198.128.0/20
table 0 add 217.198.240.0/20
table 0 add 217.199.64.0/20
table 0 add 217.199.192.0/20
table 0 add 217.224.0.0/11

Or, we may generate firewall tables by specifying a colon separated list of unique network segment owner ID’s:

# ipup -t 9d99e3f7d38d1b8026f2ebbea4017c9f:5594432b969d45afa76cf5c154a27b30:58353 -n 1 -4
table 1 add 64.233.160.0/19
table 1 add 66.102.0.0/20
table 1 add 66.249.64.0/19
table 1 add 70.32.128.0/19
table 1 add 72.14.192.0/18
table 1 add 74.114.24.0/21
table 1 add 74.125.0.0/16
table 1 add 108.170.192.0/18
table 1 add 108.177.0.0/17
table 1 add 142.250.0.0/15
table 1 add 172.217.0.0/16
table 1 add 172.253.0.0/16
table 1 add 173.194.0.0/16
table 1 add 192.178.0.0/15
table 1 add 193.142.125.0/24
table 1 add 193.186.4.0/24
table 1 add 193.200.222.0/24
table 1 add 194.110.194.0/24
table 1 add 199.36.152.0/21
table 1 add 207.223.160.0/20
table 1 add 208.68.108.0/22
table 1 add 208.81.188.0/22
table 1 add 209.85.128.0/17
table 1 add 216.58.192.0/19
table 1 add 216.239.32.0/19

These table commands may be used in the ipfw configuration script like follows:

...
/sbin/ipfw -q table all destroy
...
...
# allow only web access from DE, BR, CH:
/sbin/ipfw -q table 0 create
/usr/local/bin/ipup -t DE:BR:CH -n 0 | /sbin/ipfw -q /dev/stdin
/sbin/ipfw -q add 70 deny tcp from not table\(0\) to any 22,80,443 in recv em0 setup
...

OR, the other way around:

...
/sbin/ipfw -q table all destroy
...
...
# Google’s blind spot:
/sbin/ipfw -q table 1 create
/usr/local/bin/ipup -t 9d99e3f7d38d1b8026f2ebbea4017c9f:5594432b969d45afa76cf5c154a27b30:58353 -n 1 | /sbin/ipfw -q /dev/stdin
/sbin/ipfw -q add 71 deny tcp from table\(1\) to any 80,443 in recv em0 setup
...
...
# EU GDPR geo blocking:
/sbin/ipfw -q table 66 create
/usr/local/bin/ipup -t AL:AT:BE:BG:CY:CZ:DE:DK:EE:ES:FI:FR:GB:GR:HR:HU:IE:IT:LT:LU:LV:ME:MK:MT:NL:PL:PT:RO:RS:SE:SI:SK:TR -n 66 | /sbin/ipfw -q /dev/stdin
/sbin/ipfw -q add 72 deny tcp from table\(66\) to any 80,443 in recv em0 setup
...

Is Geo-blocking evil?

As always, this depends solely on what’s the purpose. Geo-blocking can hardly be held evil if you want to reduce the attack surface to your home server by limiting access to source IP addresses from the country where you live. Now, if you block access from the free (TR, SA), the freer (RU) and the freest (GB) countries in the world, this may be held evil in those countries :-D

Copyright © Dr. Rolf Jansen - 2018-09-30 23:37:40

PROMOTION