Tuesday, March 18, 2014

Getting Google IP ranges

Google puts them into SPF records ?!

dig +short txt _cloud-netblocks.googleusercontent.com | sed 's/"//g; s/ip4://g;' | tr ' ' '\n' | grep include | cut -d ':' -f2 | xargs dig +short txt  | sed 's/"//g; s/ip4://g;' | tr ' ' '\n' | grep '/'


responds with

8.34.208.0/20
8.35.192.0/21
8.35.200.0/23
108.59.80.0/20
108.170.192.0/20
108.170.208.0/21
108.170.216.0/22
108.170.220.0/23
108.170.222.0/24
162.216.148.0/22
162.222.176.0/21
173.255.112.0/20
192.158.28.0/22
199.192.112.0/22
199.223.232.0/22
199.223.236.0/23
23.236.48.0/20
23.251.128.0/19
107.167.160.0/19
107.178.192.0/18

Wednesday, January 8, 2014

IPFilter 5 and compiled access lists

I've been back to Freebsd lately, and using freebsd10 rc2.

I noticed an option to compile access lists into the kernel module for ipfilter.  I got it to work, but thought I'd note down how ...

firstly the kernel doesn't know the option to compile access lists so add this instead

makeoptions     CFLAGS+=-DIPFILTER_COMPILED

or you could add to /etc/make.conf

now, take your ruleset in a file and create ip_rules.c and ip_rules.h  by doing this

/sbin/ipf -n -cc -f <filename>

copy them into 

/usr/src/sys/contrib/ipfilter/netinet

edit ip_rules.c and take out the if statement for NetBSD by deleting

#if (__NetBSD_Version__ >= 399000000)
#else

then, if you have in and out rules, there is a bug in generating the ip_rules.c , work around it by adding

frentry_t *ipf_rules_out_[1] = {
        (frentry_t *)&out_rule__0
};

and adjust [1] to the amount of rules you have.

then compile the kernel as normal and install it, load the module and you should see something in dmesg like

IP Filter: v5.1.2 initialized.  Default = pass all, Logging = enabled (COMPILED)


load testing