Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 14 Jun 2016 17:05:17 +0300
From:      atar <atar.yosef@gmail.com>
To:        freebsd-pf@freebsd.org
Subject:   Re: Filter connections based on the hostname.
Message-ID:  <08195C33-DC97-4ADD-9C0A-D9493E2C29F7@gmail.com>
In-Reply-To: <57600481.6080204@quip.cz>
References:  <5858A82C-FB66-4D67-A676-47EABED976CE@gmail.com> <57600481.6080204@quip.cz>
next in thread | previous in thread | raw e-mail | index | archive | help 
> atar wrote on 06/14/2016 14:52:
>> Hi there,
>>=20
>> In the pf.conf man page, it is stated that it's possible to write inside a=
 rule a hostname instead of an IP address and the resolver will take care of=
 converting the hostname into its IP address when the pf process loads its c=
onfiguration file.
>>=20
>> The problem arises when a particular hostname have many ip addresses like=
 in the case of "google.com", "gmail.com" etc, and the ip address that "goog=
le.com" - for instance - is now (at the time that the user navigate his Inte=
rnet browser to "google.com") resolved to isn't in the list of the ip addres=
ses that the resolver has putted in the rule when the pf configuration file h=
as been loaded.
>>=20
>> Now assuming that I have created a rule that is looked something like thi=
s:
>>=20
>> 'block from any to "google.con"'
>>=20
>> The hostname "google.com" isn't blocked since its current ip differs from=
 its previous ip when pf has loaded the rule, what can I do in order to be a=
ble to block such sites (with many ip addresses)?
>=20
> I would use tables and populate them periodically from shell script which c=
an do FQDN to many IPs resolution.
>=20
> It can be simple as this
>=20
> host yahoo.com | awk '$0 ~ /has address/ { print $4 }' > /var/run/pf.yahoo=
_table
> pfctl -t yahoo_table -T replace -f /var/run/pf.yahoo.table
>=20
> I am sure you will find better solution :)
>=20
> Miroslav Lachman
Thanks for your answer, it is an interested idea.

However, is this method of update periodically the pf tables not disturb or b=
urden the performance of the pf filter engine especially if the script that u=
pdate the tables runs too often?=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?08195C33-DC97-4ADD-9C0A-D9493E2C29F7>