Date: Wed, 15 Jun 2016 11:11:54 +0300 From: atar <atar.yosef@gmail.com> To: Miroslav Lachman <000.fbsd@quip.cz> Cc: "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org> Subject: Re: Filter connections based on the hostname. Message-ID: <BBBBB2E1-D5E9-4AF4-A5C1-3E969248F0FF@gmail.com> In-Reply-To: <576055AC.9020605@quip.cz> References: <5858A82C-FB66-4D67-A676-47EABED976CE@gmail.com> <57600481.6080204@quip.cz> <08195C33-DC97-4ADD-9C0A-D9493E2C29F7@gmail.com> <57602DEC.6080201@quip.cz> <969F8F1C-E992-4F47-89F9-759FD8CE2B91@gmail.com> <576055AC.9020605@quip.cz>
next in thread | previous in thread | raw e-mail | index | archive | help
> atar wrote on 06/14/2016 20:29:
>>> atar wrote on 06/14/2016 16:05:
>>>>> atar wrote on 06/14/2016 14:52:
>>>=20
>>> [...]
>>>=20
>>>>>> The hostname "google.com" isn't blocked since its current ip differs f=
rom its previous ip when pf has loaded the rule, what can I do in order to b=
e able to block such sites (with many ip addresses)?
>>>>>=20
>>>>> I would use tables and populate them periodically from shell script wh=
ich can do FQDN to many IPs resolution.
>>>>>=20
>>>>> It can be simple as this
>>>>>=20
>>>>> host yahoo.com | awk '$0 ~ /has address/ { print $4 }' > /var/run/pf.y=
ahoo_table
>>>>> pfctl -t yahoo_table -T replace -f /var/run/pf.yahoo.table
>>>>>=20
>>>>> I am sure you will find better solution :)
>>>>>=20
>>>>> Miroslav Lachman
>>>> Thanks for your answer, it is an interested idea.
>>>>=20
>>>> However, is this method of update periodically the pf tables not distur=
b or burden the performance of the pf filter engine especially if the script=
that update the tables runs too often?
>>>=20
>>>=20
>>> How often is "too often"?
>>> I think that updating the tables every 5 minutes is enough (no one uses s=
horter TTL for DNS entries)
>>> The nicest thing on PF tables is you don't need to reload PF and tables c=
an live in memory (not need for persistent file on filesystem) so all operat=
ions are really quick.
>>> Our PF firewalls are using tables with thousands of entries without any i=
ssues.
>>> I don't see any trouble even if you will update tables each minute.
>>>=20
>>> Miroslav Lachman
>>=20
>> Thanks again for replying.
>>=20
>> I don't know why, but even refresh rate of one minute isn't enough for th=
e domains google.com or gmail.com.
>>=20
>> Even immediately after I load the table which has the rule to block the a=
bove mentioned domains I am still able to access those domains. Sometimes it=
is indeed blocked for a half of a minute but finally the chromium browser s=
ucceed to load them.
>>=20
>> Do you have any idea?
>=20
> I am not sure but it can have something with keep-state.
>=20
> If you have PF disabled, then start it, populate table and then make first=
connection attempt (there should be no states), are you still able to conne=
ct for a half minute?
>=20
> You can check tables by: pfctl -vv -s Tables
>=20
> and check states by: pfctl -vv -s state
>=20
> Miroslav Lachman
Hi there,
I've tried your advice but pf report on error which says that keep state is n=
ot make sense on block rules.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BBBBB2E1-D5E9-4AF4-A5C1-3E969248F0FF>