From owner-freebsd-questions@freebsd.org Thu Aug 12 00:18:59 2021 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id A113165F993 for ; Thu, 12 Aug 2021 00:18:59 +0000 (UTC) (envelope-from 93ab.82.c3780004f3b59d.f3388889c30598f3aa25a5101d7bd660@email-od.com) Received: from s1-b515.socketlabs.email-od.com (s1-b515.socketlabs.email-od.com [142.0.181.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4GlS3Q2krDz4m6D for ; Thu, 12 Aug 2021 00:18:58 +0000 (UTC) (envelope-from 93ab.82.c3780004f3b59d.f3388889c30598f3aa25a5101d7bd660@email-od.com) X-Thread-Info: OTNhYi4xMi5jMzc4MDAwNGYzYjU5ZC5mcmVlYnNkLXF1ZXN0aW9ucz1mcmVlYnNkLm9yZw== Received: from r4.h.in.socketlabs.com (s1-b40f.socketlabs.email-od.com [142.0.180.15]) by mxh4.email-od.com with ESMTP(version=Tls12 cipher=Aes256 bits=256); Wed, 11 Aug 2021 20:18:40 -0400 Received: from oceanview.tundraware.com (oceanview.tundraware.com [45.55.60.57]) by r4.h.in.socketlabs.com with ESMTP(version=Tls12 cipher=Aes256 bits=256); Wed, 11 Aug 2021 20:18:40 -0400 Received: from [192.168.0.2] (ozzie.tundraware.com [75.145.138.73]) (authenticated bits=0) by oceanview.tundraware.com (8.16.1/8.16.1) with ESMTPSA id 17C0ITqa011223 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO) for ; Wed, 11 Aug 2021 19:18:29 -0500 (CDT) (envelope-from tundra@tundraware.com) Subject: Re: Can ipfw Rules Be Based On DNS Name To: FreeBSD Mailing List References: From: Tim Daneliuk Message-ID: <07064513-2e56-d4f7-54aa-8a7d12755402@tundraware.com> Date: Wed, 11 Aug 2021 19:18:24 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.6.4 (oceanview.tundraware.com [45.55.60.57]); Wed, 11 Aug 2021 19:18:29 -0500 (CDT) X-TundraWare-MailScanner-Information: Please contact the ISP for more information X-TundraWare-MailScanner-ID: 17C0ITqa011223 X-TundraWare-MailScanner: Found to be clean X-TundraWare-MailScanner-SpamCheck: not spam (whitelisted), SpamAssassin (not cached, score=-2.824, required 6, autolearn=not spam, ALL_TRUSTED -1.00, BAYES_00 -1.90, NICE_REPLY_A -0.00, TW_PF 0.08) X-TundraWare-MailScanner-From: tundra@tundraware.com X-Spam-Status: No X-Rspamd-Queue-Id: 4GlS3Q2krDz4m6D X-Spamd-Bar: - X-Spamd-Result: default: False [-1.70 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[tundraware.com:s=slkey,email-od.com:s=dkim]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:142.0.176.0/20]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; RCVD_COUNT_THREE(0.00)[4]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[tundraware.com:+,email-od.com:+]; DMARC_POLICY_ALLOW(-0.50)[tundraware.com,reject]; RCVD_IN_DNSWL_NONE(0.00)[142.0.181.21:from]; NEURAL_HAM_SHORT(-1.00)[-1.000]; FORGED_SENDER(0.30)[tundra@tundraware.com,93ab.82.c3780004f3b59d.f3388889c30598f3aa25a5101d7bd660@email-od.com]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:53658, ipnet:142.0.180.0/22, country:US]; FROM_NEQ_ENVFROM(0.00)[tundra@tundraware.com,93ab.82.c3780004f3b59d.f3388889c30598f3aa25a5101d7bd660@email-od.com]; MAILMAN_DEST(0.00)[freebsd-questions]; DWL_DNSWL_NONE(0.00)[email-od.com:dkim] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Aug 2021 00:18:59 -0000 On 8/11/21 6:37 PM, Nathaniel Nigro wrote: > Ipfw -q add 111 deny udp from (domain) to any(or local ip) (port) in via > (interface) keep-state Doesn’t work? Not the way I want. At the time the rule is applied, (domain) is resolved and replaced with a single IP address. I want to block everything coming from any IP in that domain. Or ... so I thought ... what is actually going on the deeper I look is that the various scammer/spammer/sleazebags are representing themselves as legitimate domain, hoping to forward their DNS requests through our servers. We have that tightened down so these get rejected, but it does make our logs very noisy: 11-Aug-2021 14:17:10.819 security: info: client @0x8032b3b60 51.89.223.6#55252 (pizzaseo.com): view external: query (cache) 'pizzaseo.co m/RRSIG/IN' denied I know of no way to stop this since these requests come from a large, and unpredictable set of IPs.