From owner-freebsd-pf@freebsd.org Tue Jun 14 13:20:16 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CB026B68D40 for ; Tue, 14 Jun 2016 13:20:16 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9030D2C4B for ; Tue, 14 Jun 2016 13:20:15 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 8E2202843A; Tue, 14 Jun 2016 15:20:07 +0200 (CEST) Received: from illbsd.quip.test (ip-86-49-16-209.net.upcbroadband.cz [86.49.16.209]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id E143428412; Tue, 14 Jun 2016 15:20:01 +0200 (CEST) Message-ID: <57600481.6080204@quip.cz> Date: Tue, 14 Jun 2016 15:20:01 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:35.0) Gecko/20100101 Firefox/35.0 SeaMonkey/2.32 MIME-Version: 1.0 To: atar , "freebsd-pf@freebsd.org" Subject: Re: Filter connections based on the hostname. References: <5858A82C-FB66-4D67-A676-47EABED976CE@gmail.com> In-Reply-To: <5858A82C-FB66-4D67-A676-47EABED976CE@gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jun 2016 13:20:16 -0000 atar wrote on 06/14/2016 14:52: > Hi there, > > In the pf.conf man page, it is stated that it's possible to write inside a rule a hostname instead of an IP address and the resolver will take care of converting the hostname into its IP address when the pf process loads its configuration file. > > The problem arises when a particular hostname have many ip addresses like in the case of "google.com", "gmail.com" etc, and the ip address that "google.com" - for instance - is now (at the time that the user navigate his Internet browser to "google.com") resolved to isn't in the list of the ip addresses that the resolver has putted in the rule when the pf configuration file has been loaded. > > Now assuming that I have created a rule that is looked something like this: > > 'block from any to "google.con"' > > The hostname "google.com" isn't blocked since its current ip differs from its previous ip when pf has loaded the rule, what can I do in order to be able to block such sites (with many ip addresses)? I would use tables and populate them periodically from shell script which can do FQDN to many IPs resolution. It can be simple as this host yahoo.com | awk '$0 ~ /has address/ { print $4 }' > /var/run/pf.yahoo_table pfctl -t yahoo_table -T replace -f /var/run/pf.yahoo.table I am sure you will find better solution :) Miroslav Lachman