From owner-freebsd-questions@freebsd.org Wed Aug 11 21:57:04 2021 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 6BFC365CAE3 for ; Wed, 11 Aug 2021 21:57:04 +0000 (UTC) (envelope-from galtsev@kicp.uchicago.edu) Received: from kicp.uchicago.edu (kicp.uchicago.edu [128.135.20.70]) by mx1.freebsd.org (Postfix) with ESMTP id 4GlNvg3Cqmz4c7W for ; Wed, 11 Aug 2021 21:57:03 +0000 (UTC) (envelope-from galtsev@kicp.uchicago.edu) Received: from point.uchicago.edu (point.uchicago.edu [128.135.52.6]) (Authenticated sender: galtsev) by kicp.uchicago.edu (Postfix) with ESMTPSA id 17AD24E47D for ; Wed, 11 Aug 2021 16:56:57 -0500 (CDT) Subject: Re: Can ipfw Rules Be Based On DNS Name To: freebsd-questions@freebsd.org References: <43c8bac1-9b19-4ad9-0968-17abdcd73785@tundraware.com> From: Valeri Galtsev Message-ID: Date: Wed, 11 Aug 2021 16:56:56 -0500 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:78.0) Gecko/20100101 Thunderbird/78.12.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 4GlNvg3Cqmz4c7W X-Spamd-Bar: + Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=fail reason="No valid SPF, No valid DKIM" header.from=uchicago.edu (policy=none); spf=none (mx1.freebsd.org: domain of galtsev@kicp.uchicago.edu has no SPF policy when checking 128.135.20.70) smtp.mailfrom=galtsev@kicp.uchicago.edu X-Spamd-Result: default: False [1.10 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_SPAM_SHORT(1.00)[1.000]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; R_SPF_NA(0.00)[no SPF record]; RCVD_NO_TLS_LAST(0.10)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:160, ipnet:128.135.0.0/16, country:US]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-questions]; DMARC_POLICY_SOFTFAIL(0.10)[uchicago.edu : No valid SPF, No valid DKIM,none] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Aug 2021 21:57:04 -0000 On 8/11/21 4:48 PM, Tim Daneliuk via freebsd-questions wrote: > On 8/11/21 4:43 PM, Tim Daneliuk via freebsd-questions wrote: >> On 8/11/21 4:30 PM, Nathaniel Nigro wrote: >>> /etc/hosts.allow? >> >> >> Hmmmm and interesting possibility, actually. Thanks! >> >> > > Well, actually, that's not going to work because host.allow is for TCP > based connections and I'm already blocking everything from everywhere. > DNS uses UDP for query/replies. When I'm really annoyed by some domain that hides behind service showing it with different IPs all the time (cloudflare pops up in my mind, but I may be wrong), then I do whois [current domain's ip] which reveals me whoever is hiding that domain, and all blocks of IPs owned by them, Then I add to blocking table in ipfw all their address ranges. The one whom I learned it from said: if you block some good people, hm, they need to know who they are in company with, and leave for better company... Valeri PS I had to abandon ipfw, and switch over to pf, but that is different story. -- ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++