From owner-freebsd-questions@freebsd.org Wed Aug 11 20:26:10 2021 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 64C4365AADA for ; Wed, 11 Aug 2021 20:26:10 +0000 (UTC) (envelope-from kudzu@tenebras.com) Received: from mail-lj1-x234.google.com (mail-lj1-x234.google.com [IPv6:2a00:1450:4864:20::234]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4GlLtn4HsNz4TZM for ; Wed, 11 Aug 2021 20:26:09 +0000 (UTC) (envelope-from kudzu@tenebras.com) Received: by mail-lj1-x234.google.com with SMTP id h17so6596280ljh.13 for ; Wed, 11 Aug 2021 13:26:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tenebras-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=VwJn9t7W9TJ2ofSzNZ1rGlWYRWlO+HCeT1yc45DZO08=; b=j1LgvWJzo+erOIdu5i0f2q4Y9+3zMoVqDXuIeu9yAft8Uha0SR8G6IkLMsjI2WPeqz VUIhI+S8oSW8qFI0Z3q2PjAypEySHlBjtNO2sYRLjxHzIQIan/1oqLC66nAduwGiA/hy 19AdSDWOCR6RYQFb25zQBvW3H3cTopPzV8um2owCb/pWHpTQLlgSySxO1S//7ByI0E9I GEvT+FLC3qMnbdWX2vZg0W5iYK5dOlqh4tI+LjrOKVPHRLDc7/L2CLAe/3q1i7T8qc3G YMUVh1DC7hvtcP6bP2ayARaW3WmQZ51Kp41g/ShhJZR22aUZSNH3Ij2D0MrnGKd11nZ2 I4nw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=VwJn9t7W9TJ2ofSzNZ1rGlWYRWlO+HCeT1yc45DZO08=; b=eDB6/V/CeBxpiYmlgeAC1DfLJbtqEtG1yVjXjBWyygUTmgeXCrLA6diJVAsOWJAi0r nFlmOWKxPI3EMUcspS20qT8yBTuBHpP6/CeXY4vqJG9vXIrTe9igTRwdXlwntu3eA2Mp BJTDnuWUihGBjBvqwrFAONVQIwOifkD6uRt/oYxp1R39WObzkWlHLaahfvXi21KWic3D 1RjLldPgSwbm4etRHcmBZy2DiX03usubnF9CRLmXl9V5BtviiYoLdjkv3HWK4qEltv4H LRmNGVx93s3Fdy9tQ+/OBCtWtaX1s2hYb6STgS3LKbiFmv+K/5wiJzQk7s/iNj+2Syxb mx7g== X-Gm-Message-State: AOAM532eHKiQumKbV+Xfe+sRziFmphFb9GdmCTAHW6/DgDTgEyO8a/qp cBWl7Bdm7qQs+zb1zcrVp0V2xvpCbJ+Vmj1s+YBBg3ORT7Q7LqPp X-Google-Smtp-Source: ABdhPJzkp/mz7zFIGZuhgZk/zQ6BOMOShgQU00PaXQxr+WoA8XRgSDj9h7hzw9PsD1yBFhcrhunXnKVMXvUsyBCjA/o= X-Received: by 2002:a2e:995a:: with SMTP id r26mr322095ljj.297.1628713567551; Wed, 11 Aug 2021 13:26:07 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Michael Sierchio Date: Wed, 11 Aug 2021 13:25:31 -0700 Message-ID: Subject: Re: Can ipfw Rules Be Based On DNS Name To: FreeBSD Mailing List X-Rspamd-Queue-Id: 4GlLtn4HsNz4TZM X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=pass header.d=tenebras-com.20150623.gappssmtp.com header.s=20150623 header.b=j1LgvWJz; dmarc=none; spf=none (mx1.freebsd.org: domain of kudzu@tenebras.com has no SPF policy when checking 2a00:1450:4864:20::234) smtp.mailfrom=kudzu@tenebras.com X-Spamd-Result: default: False [0.70 / 15.00]; RCVD_TLS_ALL(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[tenebras-com.20150623.gappssmtp.com:s=20150623]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_SPAM_SHORT(1.00)[0.996]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; DMARC_NA(0.00)[tenebras.com]; RCPT_COUNT_ONE(0.00)[1]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[tenebras-com.20150623.gappssmtp.com:+]; RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::234:from]; R_SPF_NA(0.00)[no SPF record]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-questions] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.34 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Aug 2021 20:26:10 -0000 On Wed, Aug 11, 2021 at 1:05 PM Tim Daneliuk via freebsd-questions < freebsd-questions@freebsd.org> wrote: > I have used ipfw for years to configure access at the IP address level. > > I now need to block a particular domain and all its subdomains from > accessing anything on the server. Is this possible using the top level > domain name rather than IPs (which appear to be fluid). > Generally, no. Also, specifically, no. There isn't a way of solving the problem as you've articulated it. You can block entire countries by IP block. You can block a company's entire CIDR block if it has one allocated. Tables make this easy. You can create a cron job to do a whois on incoming traffic (if you're loggin it), and block if it's undesireable (add the block to your reject table). If you were concerned with outbound, rather than inbound traffic, I would say sinkhole / blackhole DNS works.