From owner-freebsd-ipfw@freebsd.org Mon Nov 30 12:02:51 2015 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0598CA3CB7E for ; Mon, 30 Nov 2015 12:02:51 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5456915E2 for ; Mon, 30 Nov 2015 12:02:49 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id tAUC2eoA019684; Mon, 30 Nov 2015 23:02:40 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Mon, 30 Nov 2015 23:02:39 +1100 (EST) From: Ian Smith To: Kulamani Sethi cc: freebsd-ipfw@freebsd.org Subject: Re: Set a deny rule for a URL in IPFW by its domain name In-Reply-To: Message-ID: <20151130223514.Q16065@sola.nimnet.asn.au> References: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Nov 2015 12:02:51 -0000 On Mon, 30 Nov 2015 16:48:49 +0530, Kulamani Sethi wrote: > Hi all, > I am using ipfw3, can i block a URL by its domain name? When i am > setting rules in IPFW by its domain name, it simple set rule by its > corresponding IP. > Here example how i set > > C:>ipfw add 1002 deny log ip from www.google.com to any > > As i know most of the websites uses dynamic IP, it simple changes there IP > periodically. This rule i set for google is worked for few moment, then it > allow the packets to my terminal. % dig www.google.com ; <<>> DiG 9.6.-ESV-R3 <<>> www.google.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16574 ;; flags: qr rd ra; QUERY: 1, ANSWER: 16, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.google.com. IN A ;; ANSWER SECTION: www.google.com. 43 IN A 220.233.196.223 www.google.com. 43 IN A 220.233.196.219 www.google.com. 43 IN A 220.233.196.249 www.google.com. 43 IN A 220.233.196.234 www.google.com. 43 IN A 220.233.196.229 www.google.com. 43 IN A 220.233.196.245 www.google.com. 43 IN A 220.233.196.212 www.google.com. 43 IN A 220.233.196.251 www.google.com. 43 IN A 220.233.196.216 www.google.com. 43 IN A 220.233.196.227 www.google.com. 43 IN A 220.233.196.238 www.google.com. 43 IN A 220.233.196.241 www.google.com. 43 IN A 220.233.196.240 www.google.com. 43 IN A 220.233.196.230 www.google.com. 43 IN A 220.233.196.208 www.google.com. 43 IN A 220.233.196.218 ;; Query time: 31 msec ;; SERVER: 220.233.0.4#53(220.233.0.4) ;; WHEN: Mon Nov 30 22:34:28 2015 ;; MSG SIZE rcvd: 288 .. and that's just a list of www.google.com addresses at/via my ISP. it's not so much - in this case - of changing addresses periodically (where periodically for things like file and music sharing sites may be as often as once per minute) but also of having many different addresses provided in different parts of the world, as above. Your own provider might also provide fast proxies to google, youtube, netflix, facebook, twitter .. or most/all large content providers. So no, if it doesn't have a fixed IP address, ipfw rules won't work. You could add addresses to a table, easy to update as you go without needing to reload your ipfw rules, and use something like: # ipfw add deny log ip4 from table\(88\) to any but if you hope to block sites like google, expect lots of work :) cheers, Ian