Re: Re:

["Sebastian Seemann" <MisterSeaman@gmx.de>]

> On Sun, 05 Oct 2008 00:14:30 -0500, Grant Taylor
> <gtaylor@riverviewtech.net> wrote:
> 
> >I don't know for sure what the GeoIP match extension will do if the IP 
> >is not in the database.  I would expect the match to fail.  However with 
> >inverse logic included I'd guess that the failure would turn in to a 
> >success.  But with out testing, this is only a guess.
> >
> >I would be tempted to re-write your rule like this
> >
> >    iptables -A INPUT ! -m geoip --src-cc [country] -j ACCEPT

> >The difference being that you are moving the negative logic out of an 
> >unpredictable failure situation (GeoIP not knowing where the IP is from) 
> >to a controlled situation (IPTables inverting the result of a match 
> >extension).
Ah, I see. So simple but so great. Thank you.

> >Further, the GeoIP match extension should only return a successful match 
> >/if/ the source IP is in said source country.  Rather GeoIP will not 
> >match if the IP is included in the database but not associated with said 
> >country.  Likewise GeoIP should not success on an unknown IP because it 
> >could not make a match.
Good to know. That is exactly what I was wondering about.

> Looking at the source, geoip is very careful to make sure the IP is 
> within a particular IP block to return match, so it should 
> return no match for missing IP.  The maxmind database is sparse, as 
> not all IPs appear within it.
Maxmind write on their homepage the free database, while containing subnets, is right in 99.3 % of the cases, excluding AOL-users, which always are reported as US. I think this, if it is true, is sufficient for me, as long as unknown users are avoided.

Thanks guys.

Regards,
Sebastian
-- 
Psssst! Schon vom neuen GMX MultiMessenger gehört? Der kann`s mit allen: http://www.gmx.net/de/go/multimessenger