Date: Thu, 16 Jun 2016 10:15:40 +0300 From: atar <atar.yosef@gmail.com> To: Gary Palmer <gpalmer@freebsd.org> Cc: Miroslav Lachman <000.fbsd@quip.cz>, "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org> Subject: Re: Filter connections based on the hostname. Message-ID: <545E509D-7851-4D1E-9547-2B20D36DD04E@gmail.com> In-Reply-To: <20160614202243.GA81528@in-addr.com> References: <5858A82C-FB66-4D67-A676-47EABED976CE@gmail.com> <57600481.6080204@quip.cz> <08195C33-DC97-4ADD-9C0A-D9493E2C29F7@gmail.com> <57602DEC.6080201@quip.cz> <969F8F1C-E992-4F47-89F9-759FD8CE2B91@gmail.com> <20160614202243.GA81528@in-addr.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Tue, Jun 14, 2016 at 09:29:33PM +0300, atar wrote:
>>> atar wrote on 06/14/2016 16:05:
>>>>> atar wrote on 06/14/2016 14:52:
>>>=20
>>> [...]
>>>=20
>>>>>> The hostname "google.com" isn't blocked since its current ip differs f=
rom its previous ip when pf has loaded the rule, what can I do in order to b=
e able to block such sites (with many ip addresses)?
>>>>>=20
>>>>> I would use tables and populate them periodically from shell script wh=
ich can do FQDN to many IPs resolution.
>>>>>=20
>>>>> It can be simple as this
>>>>>=20
>>>>> host yahoo.com | awk '$0 ~ /has address/ { print $4 }' > /var/run/pf.y=
ahoo_table
>>>>> pfctl -t yahoo_table -T replace -f /var/run/pf.yahoo.table
>>>>>=20
>>>>> I am sure you will find better solution :)
>>>>>=20
>>>>> Miroslav Lachman
>>>> Thanks for your answer, it is an interested idea.
>>>>=20
>>>> However, is this method of update periodically the pf tables not distur=
b or burden the performance of the pf filter engine especially if the script=
that update the tables runs too often?
>>>=20
>>>=20
>>> How often is "too often"?
>>> I think that updating the tables every 5 minutes is enough (no one uses s=
horter TTL for DNS entries)
>>> The nicest thing on PF tables is you don't need to reload PF and tables c=
an live in memory (not need for persistent file on filesystem) so all operat=
ions are really quick.
>>> Our PF firewalls are using tables with thousands of entries without any i=
ssues.
>>> I don't see any trouble even if you will update tables each minute.
>>>=20
>>> Miroslav Lachman
>>=20
>> Thanks again for replying.
>>=20
>> I don't know why, but even refresh rate of one minute isn't enough for th=
e domains google.com or gmail.com.
>>=20
>> Even immediately after I load the table which has the rule to block the a=
bove mentioned domains I am still able to access those domains. Sometimes it=
is indeed blocked for a half of a minute but finally the chromium browser s=
ucceed to load them.
>=20
> If you are looking at blocking HTTP traffic the only way I am aware to
> effectively block that without jumping through a lot of hoops is to
> use something like squid which can block based on domain, no matter what
> the current IP address returned from DNS is. You can use PF to
> transparently proxy traffic exiting your gateway to squid so there
> is no need to worry about proxy settings in the browser(s)
>=20
>=20
> www.google.com DNS TTLs are 5 minutes so you shouldn't have to worry
> about the IP changing in less then a minute UNLESS your PF firewall
> and your browser use different DNS servers and could therefore get
> different answers
>=20
> Regards,
>=20
> Gary
Can you give me any hint how to cause PF to redirect all the traffic through=
the squid proxy? I'm pretty new in them both (PF and squid).
Regards,
Atar.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?545E509D-7851-4D1E-9547-2B20D36DD04E>