Date: Thu, 12 Aug 2021 09:04:17 -0500 From: Doug McIntyre <merlyn@geeks.org> To: freebsd-questions@freebsd.org Subject: Re: Can ipfw Rules Be Based On DNS Name Message-ID: <YRUqYXp6R9VpglFi@geeks.org> In-Reply-To: <CAHu1Y73n9Ybmm9Ghe2MZNepf%2B6%2BMi8FH8nn=BMCUyoa5r9QPBA@mail.gmail.com> References: <ac332bfe-314a-ac76-eeb4-f0111bac4d0d@tundraware.com> <CAD=pOf=85A5kFp1PEN72QdJs5G7tpr_daFMuHqy65bX%2B78oHsg@mail.gmail.com> <CAHu1Y73n9Ybmm9Ghe2MZNepf%2B6%2BMi8FH8nn=BMCUyoa5r9QPBA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Aug 11, 2021 at 05:20:07PM -0700, Michael Sierchio wrote: > You can maintain a table of addresses, and check that with a single rule. > You can add and delete CIDR blocks and IPv6 prefixes without changing the > ruleset or restarting the firewall. How you might do that is a non-trivial > problem. How do you find all the IP addresses associated with a particular > domain? That's what I've done in the past, created a table referenced in IPFW, then some sort of process that periodically checks the domain name resolution, and updates the table if the IP addresses change. Obviously, you are going to need to know what set of names they will be coming from. It is unlikely that somebody would be coming from *.lab.domain.com, its probably going to be much more likely to be from some small set of DNS entries. This is the way commercial firewalls work too. If you setup a policy in a Fortigate based on FQDN, it will only periodically go through and update the IP addresses based on FQDNs. There could be a period where the refresh procedure hasn't kicked off yet, and somebody connects after a DNS update.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?YRUqYXp6R9VpglFi>