From owner-freebsd-pf@freebsd.org Wed Jun 15 11:29:27 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BCCE3A3187E for ; Wed, 15 Jun 2016 11:29:27 +0000 (UTC) (envelope-from atar.yosef@gmail.com) Received: from mail-wm0-x229.google.com (mail-wm0-x229.google.com [IPv6:2a00:1450:400c:c09::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4229F16BF; Wed, 15 Jun 2016 11:29:27 +0000 (UTC) (envelope-from atar.yosef@gmail.com) Received: by mail-wm0-x229.google.com with SMTP id f126so17459822wma.1; Wed, 15 Jun 2016 04:29:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-transfer-encoding:subject:references:from:in-reply-to :message-id:date:cc:to:mime-version; bh=VLLlq3atYFOo3eEaXq/VmOZ9c5bYc2MSgyt6IJrSKKY=; b=Y3PuGOZwBMTdAaLrQQqnghLPc8zUc4FnaK52uJ3bb1bP8X0bCZyd3cC1wdnykB1I3k cAYmgGbUlNVhJ7Tv3UUHnkjkKqfImvD04FMAufn3/xEo+p2fzIOLWFYVABIw7bDOZSrV lVhXpoFFsz+esQ0554SCcGopfRunQP5UrpXoLM2uuUIz9w0LjTSY2S+4Gzq+7tQruMi8 KnH15SDldy8yPT70RxeX0vIkbrqT4CDhYyIEb+z2sB+nZ0vMCuUbaGilzxia6hpEFR2/ /3ufOYDavDw+ECYFEZbusrPwqUFHUDYBVKM4JB3auj7Ah0C7biakt+yOlQFHdi7BbKAE v/nQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-transfer-encoding:subject:references :from:in-reply-to:message-id:date:cc:to:mime-version; bh=VLLlq3atYFOo3eEaXq/VmOZ9c5bYc2MSgyt6IJrSKKY=; b=fixldYSp14GDvo5xysKvzvUfc20qP5Dck9WvztTXKSXkEhwAejaU46DOYh6DGVx9U0 hwc/vRqe56JoKxwERAXncOIqnf8IYMFvAkZmPya90UgyCXLWUxOICWQD9T/j5e6SDEhV 2u9HnRs2FwZjFLVb7q2ssosKMQyQtnHmfKzg9t5yf9XKLgj8nCoBNgKeG6lSC24IazEX 1LKPf7HytTpNnUqJNiPOrmYtc89WHh4tm+3a/khz89cs0toRb8dCKotQ6vQ1KiK1c7DI axQ3i1i6vr7h0KZSXPA43tltP0UsCFrhOK0jMgvuLTWMgiOOVJaAcF+jVYtYPyUZrEHG VBww== X-Gm-Message-State: ALyK8tJFkek/hfhhW0MchS/Oqociwl0OznvHcVFLPaYm+jKJ8sL5M/MyYew07PrCR3/5/g== X-Received: by 10.194.42.69 with SMTP id m5mr11315271wjl.89.1465990165720; Wed, 15 Jun 2016 04:29:25 -0700 (PDT) Received: from [192.168.20.5] ([212.29.194.245]) by smtp.gmail.com with ESMTPSA id uq7sm37870016wjc.19.2016.06.15.04.29.24 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 15 Jun 2016 04:29:25 -0700 (PDT) Subject: Re: Filter connections based on the hostname. References: <5858A82C-FB66-4D67-A676-47EABED976CE@gmail.com> <57600481.6080204@quip.cz> <08195C33-DC97-4ADD-9C0A-D9493E2C29F7@gmail.com> <57602DEC.6080201@quip.cz> <969F8F1C-E992-4F47-89F9-759FD8CE2B91@gmail.com> <20160614202243.GA81528@in-addr.com> From: atar In-Reply-To: <20160614202243.GA81528@in-addr.com> Message-Id: <9B910AFC-8E2F-44CF-B7A0-C241FDDAB4A9@gmail.com> Date: Wed, 15 Jun 2016 14:28:56 +0300 Cc: "freebsd-pf@freebsd.org" , Miroslav Lachman <000.fbsd@quip.cz> To: Gary Palmer Mime-Version: 1.0 (1.0) X-Mailer: iPod Mail (10B500) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.22 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Jun 2016 11:29:27 -0000 > On Tue, Jun 14, 2016 at 09:29:33PM +0300, atar wrote: >>> atar wrote on 06/14/2016 16:05: >>>>> atar wrote on 06/14/2016 14:52: >>>=20 >>> [...] >>>=20 >>>>>> The hostname "google.com" isn't blocked since its current ip differs f= rom its previous ip when pf has loaded the rule, what can I do in order to b= e able to block such sites (with many ip addresses)? >>>>>=20 >>>>> I would use tables and populate them periodically from shell script wh= ich can do FQDN to many IPs resolution. >>>>>=20 >>>>> It can be simple as this >>>>>=20 >>>>> host yahoo.com | awk '$0 ~ /has address/ { print $4 }' > /var/run/pf.y= ahoo_table >>>>> pfctl -t yahoo_table -T replace -f /var/run/pf.yahoo.table >>>>>=20 >>>>> I am sure you will find better solution :) >>>>>=20 >>>>> Miroslav Lachman >>>> Thanks for your answer, it is an interested idea. >>>>=20 >>>> However, is this method of update periodically the pf tables not distur= b or burden the performance of the pf filter engine especially if the script= that update the tables runs too often? >>>=20 >>>=20 >>> How often is "too often"? >>> I think that updating the tables every 5 minutes is enough (no one uses s= horter TTL for DNS entries) >>> The nicest thing on PF tables is you don't need to reload PF and tables c= an live in memory (not need for persistent file on filesystem) so all operat= ions are really quick. >>> Our PF firewalls are using tables with thousands of entries without any i= ssues. >>> I don't see any trouble even if you will update tables each minute. >>>=20 >>> Miroslav Lachman >>=20 >> Thanks again for replying. >>=20 >> I don't know why, but even refresh rate of one minute isn't enough for th= e domains google.com or gmail.com. >>=20 >> Even immediately after I load the table which has the rule to block the a= bove mentioned domains I am still able to access those domains. Sometimes it= is indeed blocked for a half of a minute but finally the chromium browser s= ucceed to load them. >=20 > If you are looking at blocking HTTP traffic the only way I am aware to > effectively block that without jumping through a lot of hoops is to > use something like squid which can block based on domain, no matter what > the current IP address returned from DNS is. You can use PF to > transparently proxy traffic exiting your gateway to squid so there > is no need to worry about proxy settings in the browser(s) >=20 >=20 > www.google.com DNS TTLs are 5 minutes so you shouldn't have to worry > about the IP changing in less then a minute UNLESS your PF firewall > and your browser use different DNS servers and could therefore get > different answers >=20 > Regards, >=20 > Gary Hi Gary and thanks for replying. After some searching I've found that page: https://doc.pfsense.org/index.php= /Blocking_websites which says similar things as you said, especially on host= names that have wide range of ips. Thank you men about your kind support! Atar.=