From owner-freebsd-pf@FreeBSD.ORG Thu Jul 17 15:19:03 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0B7031065671 for ; Thu, 17 Jul 2008 15:19:03 +0000 (UTC) (envelope-from jdc@parodius.com) Received: from mx01.sc1.parodius.com (mx01.sc1.parodius.com [72.20.106.3]) by mx1.freebsd.org (Postfix) with ESMTP id 0266D8FC1E for ; Thu, 17 Jul 2008 15:19:02 +0000 (UTC) (envelope-from jdc@parodius.com) Received: by mx01.sc1.parodius.com (Postfix, from userid 1000) id 939531CC09F; Thu, 17 Jul 2008 08:19:02 -0700 (PDT) Date: Thu, 17 Jul 2008 08:19:02 -0700 From: Jeremy Chadwick To: Max Laier Message-ID: <20080717151902.GA79577@eos.sc1.parodius.com> References: <48750381.1030004@eskk.nu> <4ad871310807170613y6d5df98dlf85f664399c9ca4c@mail.gmail.com> <20080717152849.0e90b307@twoflower.in.publishing.hu> <200807171711.51208.max@love2party.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200807171711.51208.max@love2party.net> User-Agent: Mutt/1.5.18 (2008-05-17) Cc: freebsd-pf@freebsd.org Subject: Re: New pf install on Freebsd7 seem to be a slow starter. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Jul 2008 15:19:03 -0000 On Thu, Jul 17, 2008 at 05:11:50PM +0200, Max Laier wrote: > On Thursday 17 July 2008 15:28:49 CZUCZY Gergely wrote: > > On Thu, 17 Jul 2008 09:13:03 -0400 > > > > "Glen Barber" wrote: > > > On Thu, Jul 17, 2008 at 9:00 AM, Glen Barber > wrote: > > > > I was under the assumption the OP runs his own DNS server, as that > > > > is how my machine was set up. > > > > > > Another reason I thought about 'why' the OP used tables - aren't PF > > > tables evaluated at boot, and macros evaluated when they are called? > > > I think the latter negates the need for resolving at boot. Please > > > correct me if I am wrong. > > > > Macros are evaluated at pfctl-time. That means, parse-time. Tables are > > evaluated at runtime (that means, when a lookup is in progress). > > DNS lookups are always performed in userland at pfctl-time. It does not > matter if you put your hostnames into a macro, table or rule directly - > it will always be looked up by pfctl before even loading the rule/table > into the kernel. > > If you really want to trust DNS lookups to influence your firewall rules > (3 weeks till dooms day - is your resolver patched?!?) you should add an > rc.d that depends on NETWORKING (or hook something up to ppp.linkup, or > whereeverelse you can be sure that your resolver is working) and fill a > predefined table from that script. i.e. "pfctl -t mytable -T add > foo.bar.local" Which induces another question (probably answered in a post a few weeks ago, knowing my luck): Does pf(4) use gethostbyname()? If so, the OP should be able to add entries of said FQDNs to /etc/hosts to avoid doing actual recursive DNS lookups. (I'm curious about this myself, since we have some pf.conf rules which refer to IPs bound to our servers, and I've always wanted to switch them over to FQDNs that are listed in /etc/hosts...) -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |