How to block country ip's

Hi, I need to find a bash script or something to add IPFW rules and block massive ip addresses from countries.

I looked at ipdeny but their generator is not working. I need some way to easily download the files from ipdeny and then have IPFW load these ip's in.

How would I do this?

I do not use IPFW but PF, however I use the cron job bellow to update the geoblock file (I created) what PF is configurated look into to block addresses. You may want to do something similar on IPFW.

@monthly curl -s{cn,us,tr,ru,tw,ro,in,it,hu}.zone > \
I don't want to divert ports. I have already have rules set in IPFW and just want to make things simple. Just want to block all ip's from certain countries from coming in and out. Maybe making a ip table and deny it and running a script to add ip blocks to this table would be the solution. I don't know but want a solution to block certain countries from connecting. I think that tool is complicated to use and I don't want to divert ports. The reason is I already have rules set for most of the ports. Isn't diverting it going to bypass my firewall?
My solution isn't slick, but you are welcome to it. I go to this page:
I get the CIDRs for each country from the menu and download them. I then create a simple shell script to feed them to a table for ipfw. In this case, I am using a table numbered "3". The format of the file follows:
ipfw -q table 3 add
ipfw -q table 3 add
ipfw -q table 3 add
Inside /etc/rc.firewall, I added these lines:
#block email
${fwcmd} add  568 deny log all  from 'table(3)' to any dst-port  110
${fwcmd} add  569 deny log all  from 'table(3)' to any dst-port 143
${fwcmd} add  570 deny log all  from 'table(3)' to any dst-port  465
${fwcmd} add  571 deny log all  from 'table(3)' to any dst-port 587
${fwcmd} add  572 deny log all  from 'table(3)' to any dst-port  993
${fwcmd} add  573 deny log all  from 'table(3)' to any dst-port  995
In this particular case, I am blocking all email ports other than 25 from countries where I don't reside or visit.

Where to place the "deny" lines is tricky. I suggest researching a program like sshguard and put the "deny" in a similar location as they suggest for that service.

When possible, I like solutions not to depend on external databases, at least in real time. This is a self-contained solution, though the database changes quarterly and like all databases, will have a bug or two. For instance, the Chaos Computer Club was trying to hack my email from all things, their own traceable IP space! So I maintain an additional file of additions.