From owner-freebsd-pf@FreeBSD.ORG Thu Jul 17 15:28:06 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C5D9F106570C for ; Thu, 17 Jul 2008 15:28:06 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.187]) by mx1.freebsd.org (Postfix) with ESMTP id 6111F8FC12 for ; Thu, 17 Jul 2008 15:28:06 +0000 (UTC) (envelope-from max@love2party.net) Received: from vampire.homelinux.org (dslb-088-066-030-033.pools.arcor-ip.net [88.66.30.33]) by mrelayeu.kundenserver.de (node=mrelayeu8) with ESMTP (Nemesis) id 0ML31I-1KJVOn0tTp-0000gx; Thu, 17 Jul 2008 17:28:05 +0200 Received: (qmail 35460 invoked from network); 17 Jul 2008 15:28:04 -0000 Received: from myhost.laiers.local (192.168.4.151) by laiers.local with SMTP; 17 Jul 2008 15:28:04 -0000 From: Max Laier Organization: FreeBSD To: Jeremy Chadwick Date: Thu, 17 Jul 2008 17:28:04 +0200 User-Agent: KMail/1.9.9 References: <48750381.1030004@eskk.nu> <200807171711.51208.max@love2party.net> <20080717151902.GA79577@eos.sc1.parodius.com> In-Reply-To: <20080717151902.GA79577@eos.sc1.parodius.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200807171728.04369.max@love2party.net> X-Provags-ID: V01U2FsdGVkX19Pq9O9sQ+A/HhoeETnoAipOUhZ0mEVZYRzOWb C6sB7p2LsT3h0vMiM3w72AC7QF6uaMMRHxZ2gyVmx96VaYm04o YTyItc9qHRNVhY7KKIC/g== Cc: freebsd-pf@freebsd.org Subject: Re: New pf install on Freebsd7 seem to be a slow starter. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Jul 2008 15:28:06 -0000 On Thursday 17 July 2008 17:19:02 Jeremy Chadwick wrote: > On Thu, Jul 17, 2008 at 05:11:50PM +0200, Max Laier wrote: > > On Thursday 17 July 2008 15:28:49 CZUCZY Gergely wrote: > > > On Thu, 17 Jul 2008 09:13:03 -0400 > > > > > > "Glen Barber" wrote: > > > > On Thu, Jul 17, 2008 at 9:00 AM, Glen Barber > > > > > > > > wrote: > > > > > I was under the assumption the OP runs his own DNS server, as > > > > > that is how my machine was set up. > > > > > > > > Another reason I thought about 'why' the OP used tables - aren't > > > > PF tables evaluated at boot, and macros evaluated when they are > > > > called? I think the latter negates the need for resolving at > > > > boot. Please correct me if I am wrong. > > > > > > Macros are evaluated at pfctl-time. That means, parse-time. Tables > > > are evaluated at runtime (that means, when a lookup is in > > > progress). > > > > DNS lookups are always performed in userland at pfctl-time. It does > > not matter if you put your hostnames into a macro, table or rule > > directly - it will always be looked up by pfctl before even loading > > the rule/table into the kernel. > > > > If you really want to trust DNS lookups to influence your firewall > > rules (3 weeks till dooms day - is your resolver patched?!?) you > > should add an rc.d that depends on NETWORKING (or hook something up > > to ppp.linkup, or whereeverelse you can be sure that your resolver is > > working) and fill a predefined table from that script. i.e. "pfctl -t > > mytable -T add foo.bar.local" > > Which induces another question (probably answered in a post a few weeks > ago, knowing my luck): > > Does pf(4) use gethostbyname()? If so, the OP should be able to add > entries of said FQDNs to /etc/hosts to avoid doing actual recursive DNS > lookups. (I'm curious about this myself, since we have some pf.conf > rules which refer to IPs bound to our servers, and I've always wanted > to switch them over to FQDNs that are listed in /etc/hosts...) gethostbyname(3), but that should - iirc - also tie into etc/hosts if your nsswitch.conf points there. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News