Date: Thu, 17 Jul 2008 17:28:04 +0200 From: Max Laier <max@love2party.net> To: Jeremy Chadwick <koitsu@freebsd.org> Cc: freebsd-pf@freebsd.org Subject: Re: New pf install on Freebsd7 seem to be a slow starter. Message-ID: <200807171728.04369.max@love2party.net> In-Reply-To: <20080717151902.GA79577@eos.sc1.parodius.com> References: <48750381.1030004@eskk.nu> <200807171711.51208.max@love2party.net> <20080717151902.GA79577@eos.sc1.parodius.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thursday 17 July 2008 17:19:02 Jeremy Chadwick wrote: > On Thu, Jul 17, 2008 at 05:11:50PM +0200, Max Laier wrote: > > On Thursday 17 July 2008 15:28:49 CZUCZY Gergely wrote: > > > On Thu, 17 Jul 2008 09:13:03 -0400 > > > > > > "Glen Barber" <glen.j.barber@gmail.com> wrote: > > > > On Thu, Jul 17, 2008 at 9:00 AM, Glen Barber > > > > <glen.j.barber@gmail.com> > > > > wrote: > > > > > I was under the assumption the OP runs his own DNS server, as > > > > > that is how my machine was set up. > > > > > > > > Another reason I thought about 'why' the OP used tables - aren't > > > > PF tables evaluated at boot, and macros evaluated when they are > > > > called? I think the latter negates the need for resolving at > > > > boot. Please correct me if I am wrong. > > > > > > Macros are evaluated at pfctl-time. That means, parse-time. Tables > > > are evaluated at runtime (that means, when a lookup is in > > > progress). > > > > DNS lookups are always performed in userland at pfctl-time. It does > > not matter if you put your hostnames into a macro, table or rule > > directly - it will always be looked up by pfctl before even loading > > the rule/table into the kernel. > > > > If you really want to trust DNS lookups to influence your firewall > > rules (3 weeks till dooms day - is your resolver patched?!?) you > > should add an rc.d that depends on NETWORKING (or hook something up > > to ppp.linkup, or whereeverelse you can be sure that your resolver is > > working) and fill a predefined table from that script. i.e. "pfctl -t > > mytable -T add foo.bar.local" > > Which induces another question (probably answered in a post a few weeks > ago, knowing my luck): > > Does pf(4) use gethostbyname()? If so, the OP should be able to add > entries of said FQDNs to /etc/hosts to avoid doing actual recursive DNS > lookups. (I'm curious about this myself, since we have some pf.conf > rules which refer to IPs bound to our servers, and I've always wanted > to switch them over to FQDNs that are listed in /etc/hosts...) gethostbyname(3), but that should - iirc - also tie into etc/hosts if your nsswitch.conf points there. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200807171728.04369.max>