Maxmind, a US-based company who is quite well-known for providing their GeoIP database which fires a lot of services that need GeoIP data, has changed their usage policy on this database with effect of the beginning of this year. Unfortunately this makes it unusable for IPFire and we have decided to replace it. Here is how we are going to do it.
IPFire is using geo information for two things: We are showing flags next to DNS servers, firewall hits, etc. and we are using it to block connections from or to certain countries in the firewall.
We, the IPFire developers, have started a side-project to replace the Maxmind GeoIP databases in IPFire over two years ago. We felt that this was necessary because of the quality of the database getting worse and worse. Strict licences as well as changes like this December are very incompatible with the freedom that we want to provide for all IPFire users.
The code name is
libloc and it is a library written in C which reads from our own location database.
The code is written in a portable way and runs on multiple operating systems so that it can be used by other projects, too. The library is tiny and the code can quickly be audited. Our focus was on easy usability and performance. Because of smart packing of the data into the database and intelligent search algorithms, we are approximately 10 times faster than Maxmind's code. Pages will load faster and
libloc can be used in software where location information needs to be present as quickly as possible - for example in the Intrusion Prevention System or in a DNS server that performs load-balancing based on the geographical location of the user. With provided bindings for Python and Perl, it is easy to use in scripting languages, too.
To make sure that you are only using genuine data, the database is cryptographically signed and being automatically updated whenever needed.
It is a really awesome project and many hours of engineering work have been put into it. It is software design at its finest and I had a lot of fun working on the project.
The Changes For Now
Sadly, this project is not yet ready for production and so this is a slightly hurried announcement. Of course you can support us with your donation. Keep watching this blog for any further updates. But so far, here are the most important things:
If you install a new IPFire system with a release version before 2.23 - Core Update 140, you won't be able to use geo blocking. The reason is that Maxmind's database is not being shipped with IPFire because it was unclear if we could do that legally or not. A script regularly updated the database, but this service has now been deactivated by Maxmind.
With Core Update 140 we ship the last version of the database that is available under the old Creative Commons licence. Now, Maxmind requires to sign a new licence which we cannot do for various reasons and therefore we are looking to retire using this database altogether and use
Those changes will come with one of the following update. The code is already done and in a very good beta stage. What is not yet fully finished, is the actual database. We are writing and optimising scripts that gather the information we need and compile it. This is what we are working on right now and hopefully it won't be long.