From owner-freebsd-pf@freebsd.org Tue Jun 14 14:05:24 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CCA2FAF28F4 for ; Tue, 14 Jun 2016 14:05:24 +0000 (UTC) (envelope-from atar.yosef@gmail.com) Received: from mail-wm0-x22d.google.com (mail-wm0-x22d.google.com [IPv6:2a00:1450:400c:c09::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 6C8EF20EA for ; Tue, 14 Jun 2016 14:05:24 +0000 (UTC) (envelope-from atar.yosef@gmail.com) Received: by mail-wm0-x22d.google.com with SMTP id k204so124743275wmk.0 for ; Tue, 14 Jun 2016 07:05:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:references:from:in-reply-to:message-id:date:to :content-transfer-encoding:mime-version; bh=tDV2UxUAc5KuHTradXC6mP9BHanPCPHVKSl4BzJ/0qU=; b=tcDIXtlbx3eToU8iI9tLOi0yyVeZ82uKUNHK6RHRsAIm3KzIeqy+4pxO4PPsZOijKt 1Zryr6ov1FLMYsjcbyv1m7p+aVj0RIwB4kOP2SSeKeC+FAdQHB3U1KcpeUTjJjWJ9cUz /c8/7L/MgB+V3ReDK2VhylM+cM0gRpKIgr4PlwRfnjEsm3Piod0bsAlRg0ayrde/EvFe VQw23jkoHgqQDZl0SnK2oJJlX7IQQNlJSUPiaZj7Jd2j1Vv7I4kqr1PAgVbVq+5njKu/ +ns5nBW/iywqQXkeV+/V76Gn3vesoaAjqgvkd1hhOooR+csg09BDjBeFgTOmR0AmX/mG bLyg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:references:from:in-reply-to:message-id :date:to:content-transfer-encoding:mime-version; bh=tDV2UxUAc5KuHTradXC6mP9BHanPCPHVKSl4BzJ/0qU=; b=aDXWbNIOpzrTIx0fY4ESPalSlqCB37z8RWzOFZyOMt6b7jm85IPYB5iO57snGo7/Sh EMEQAzUrrDlB31l+DBpGDjim0da+YTm9vndr716KB540DULV4Zzv4X0oUMg1LDLwwUpW TfGVVfPDSacU56W174oqBUHj2E2ZZ5Y6ClnmJ6VyqeU3sX5za4RROZKazN8rE/F9hVQh JxvpvJQhoapCU8bOFR7DQCQsVI22OT/2Yqox2WykpNEEKGE0ipiM7vm04mpscsd1RpCU J6g24prBXTyzoo8WkWAxEoLWG0DbSuz8ib7DpevBLceyca3eNhroe/9jmi3/NrLHTgNY EeYw== X-Gm-Message-State: ALyK8tKy3hTlp84Ewly3RcL6BetaoWikMIP+BYIXseVqtxfC8GUUMmVELKhBqzuoa7OiEg== X-Received: by 10.28.63.136 with SMTP id m130mr4888684wma.33.1465913122680; Tue, 14 Jun 2016 07:05:22 -0700 (PDT) Received: from [192.168.20.5] ([212.29.194.245]) by smtp.gmail.com with ESMTPSA id b200sm4332892wmb.9.2016.06.14.07.05.22 for (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 14 Jun 2016 07:05:22 -0700 (PDT) Subject: Re: Filter connections based on the hostname. References: <5858A82C-FB66-4D67-A676-47EABED976CE@gmail.com> <57600481.6080204@quip.cz> From: atar Content-Type: text/plain; charset=us-ascii X-Mailer: iPod Mail (10B500) In-Reply-To: <57600481.6080204@quip.cz> Message-Id: <08195C33-DC97-4ADD-9C0A-D9493E2C29F7@gmail.com> Date: Tue, 14 Jun 2016 17:05:17 +0300 To: freebsd-pf@freebsd.org Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (1.0) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jun 2016 14:05:24 -0000 > atar wrote on 06/14/2016 14:52: >> Hi there, >>=20 >> In the pf.conf man page, it is stated that it's possible to write inside a= rule a hostname instead of an IP address and the resolver will take care of= converting the hostname into its IP address when the pf process loads its c= onfiguration file. >>=20 >> The problem arises when a particular hostname have many ip addresses like= in the case of "google.com", "gmail.com" etc, and the ip address that "goog= le.com" - for instance - is now (at the time that the user navigate his Inte= rnet browser to "google.com") resolved to isn't in the list of the ip addres= ses that the resolver has putted in the rule when the pf configuration file h= as been loaded. >>=20 >> Now assuming that I have created a rule that is looked something like thi= s: >>=20 >> 'block from any to "google.con"' >>=20 >> The hostname "google.com" isn't blocked since its current ip differs from= its previous ip when pf has loaded the rule, what can I do in order to be a= ble to block such sites (with many ip addresses)? >=20 > I would use tables and populate them periodically from shell script which c= an do FQDN to many IPs resolution. >=20 > It can be simple as this >=20 > host yahoo.com | awk '$0 ~ /has address/ { print $4 }' > /var/run/pf.yahoo= _table > pfctl -t yahoo_table -T replace -f /var/run/pf.yahoo.table >=20 > I am sure you will find better solution :) >=20 > Miroslav Lachman Thanks for your answer, it is an interested idea. However, is this method of update periodically the pf tables not disturb or b= urden the performance of the pf filter engine especially if the script that u= pdate the tables runs too often?=