From owner-freebsd-pf@freebsd.org Thu Jun 16 08:08:46 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D9B48A47B59 for ; Thu, 16 Jun 2016 08:08:46 +0000 (UTC) (envelope-from maximos@als.nnov.ru) Received: from mx.als.nnov.ru (mx.als.nnov.ru [95.79.102.161]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8ABF61245 for ; Thu, 16 Jun 2016 08:08:46 +0000 (UTC) (envelope-from maximos@als.nnov.ru) Received: from [10.4.1.100] by mx.als.nnov.ru with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.86_2 (FreeBSD)) (envelope-from ) id 1bDRyw-000FiW-RA for freebsd-pf@freebsd.org; Thu, 16 Jun 2016 10:44:54 +0300 Subject: Re: Filter connections based on the hostname. To: freebsd-pf@freebsd.org References: <5858A82C-FB66-4D67-A676-47EABED976CE@gmail.com> <57600481.6080204@quip.cz> <08195C33-DC97-4ADD-9C0A-D9493E2C29F7@gmail.com> <57602DEC.6080201@quip.cz> <969F8F1C-E992-4F47-89F9-759FD8CE2B91@gmail.com> <20160614202243.GA81528@in-addr.com> <545E509D-7851-4D1E-9547-2B20D36DD04E@gmail.com> From: Max Message-ID: <5f371d10-49ca-074b-cff2-ffb2d8830941@als.nnov.ru> Date: Thu, 16 Jun 2016 10:44:54 +0300 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.1.1 MIME-Version: 1.0 In-Reply-To: <545E509D-7851-4D1E-9547-2B20D36DD04E@gmail.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Jun 2016 08:08:47 -0000 Give a try to google :) site:squid-cache.org pf firewall 16.06.2016 10:15, atar пишет: >> On Tue, Jun 14, 2016 at 09:29:33PM +0300, atar wrote: >>>> atar wrote on 06/14/2016 16:05: >>>>>> atar wrote on 06/14/2016 14:52: >>>> [...] >>>> >>>>>>> The hostname "google.com" isn't blocked since its current ip differs from its previous ip when pf has loaded the rule, what can I do in order to be able to block such sites (with many ip addresses)? >>>>>> I would use tables and populate them periodically from shell script which can do FQDN to many IPs resolution. >>>>>> >>>>>> It can be simple as this >>>>>> >>>>>> host yahoo.com | awk '$0 ~ /has address/ { print $4 }' > /var/run/pf.yahoo_table >>>>>> pfctl -t yahoo_table -T replace -f /var/run/pf.yahoo.table >>>>>> >>>>>> I am sure you will find better solution :) >>>>>> >>>>>> Miroslav Lachman >>>>> Thanks for your answer, it is an interested idea. >>>>> >>>>> However, is this method of update periodically the pf tables not disturb or burden the performance of the pf filter engine especially if the script that update the tables runs too often? >>>> >>>> How often is "too often"? >>>> I think that updating the tables every 5 minutes is enough (no one uses shorter TTL for DNS entries) >>>> The nicest thing on PF tables is you don't need to reload PF and tables can live in memory (not need for persistent file on filesystem) so all operations are really quick. >>>> Our PF firewalls are using tables with thousands of entries without any issues. >>>> I don't see any trouble even if you will update tables each minute. >>>> >>>> Miroslav Lachman >>> Thanks again for replying. >>> >>> I don't know why, but even refresh rate of one minute isn't enough for the domains google.com or gmail.com. >>> >>> Even immediately after I load the table which has the rule to block the above mentioned domains I am still able to access those domains. Sometimes it is indeed blocked for a half of a minute but finally the chromium browser succeed to load them. >> If you are looking at blocking HTTP traffic the only way I am aware to >> effectively block that without jumping through a lot of hoops is to >> use something like squid which can block based on domain, no matter what >> the current IP address returned from DNS is. You can use PF to >> transparently proxy traffic exiting your gateway to squid so there >> is no need to worry about proxy settings in the browser(s) >> >> >> www.google.com DNS TTLs are 5 minutes so you shouldn't have to worry >> about the IP changing in less then a minute UNLESS your PF firewall >> and your browser use different DNS servers and could therefore get >> different answers >> >> Regards, >> >> Gary > Can you give me any hint how to cause PF to redirect all the traffic through the squid proxy? I'm pretty new in them both (PF and squid). > > Regards, > > Atar. > _______________________________________________ > freebsd-pf@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"