Date: Tue, 6 May 2008 03:06:58 -0700 From: Jeremy Chadwick <koitsu@freebsd.org> To: Vitaliy Vladimirovich <artemrts@ukr.net> Cc: freebsd-pf@freebsd.org Subject: Re: dst_addr and subdomains Message-ID: <20080506100658.GA3813@eos.sc1.parodius.com> In-Reply-To: <E1JtJlc-000OA8-CH@ffe10.ukr.net> References: <E1JtJlc-000OA8-CH@ffe10.ukr.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, May 06, 2008 at 12:47:24PM +0300, Vitaliy Vladimirovich wrote: > Hi! > ow can I specify dst_addr in my rule for all subdomains of server. E.g. example1.server.com, example2.server.com and so on. > > Something like this: > > pass out on sk0 inet proto tcp from $MY_LAN to *.example.org port www What you want is basically a layer 7 filter -- pf does not do that. If all the machines within *.example.org are within a specific network block (e.g. 20.30.40.0/24), then you can use that CIDR netblock instead of *.example.org in your above example. But you cannot use wildcards for domains. All hostnames given as a dst/src address will be resolved first. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080506100658.GA3813>