Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 17 Jul 2008 17:11:50 +0200
From:      Max Laier <max@love2party.net>
To:        freebsd-pf@freebsd.org
Subject:   Re: New pf install on Freebsd7 seem to be a slow starter.
Message-ID:  <200807171711.51208.max@love2party.net>
In-Reply-To: <20080717152849.0e90b307@twoflower.in.publishing.hu>
References:  <48750381.1030004@eskk.nu> <4ad871310807170613y6d5df98dlf85f664399c9ca4c@mail.gmail.com> <20080717152849.0e90b307@twoflower.in.publishing.hu>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Thursday 17 July 2008 15:28:49 CZUCZY Gergely wrote:
> On Thu, 17 Jul 2008 09:13:03 -0400
>
> "Glen Barber" <glen.j.barber@gmail.com> wrote:
> > On Thu, Jul 17, 2008 at 9:00 AM, Glen Barber <glen.j.barber@gmail.com> 
wrote:
> > > I was under the assumption the OP runs his own DNS server, as that
> > > is how my machine was set up.
> >
> > Another reason I thought about 'why' the OP used tables - aren't PF
> > tables evaluated at boot, and macros evaluated when they are called?
> > I think the latter negates the need for resolving at boot.  Please
> > correct me if I am wrong.
>
> Macros are evaluated at pfctl-time. That means, parse-time. Tables are
> evaluated at runtime (that means, when a lookup is in progress).

DNS lookups are always performed in userland at pfctl-time.  It does not 
matter if you put your hostnames into a macro, table or rule directly - 
it will always be looked up by pfctl before even loading the rule/table 
into the kernel.

If you really want to trust DNS lookups to influence your firewall rules 
(3 weeks till dooms day - is your resolver patched?!?) you should add an 
rc.d that depends on NETWORKING (or hook something up to ppp.linkup, or 
whereeverelse you can be sure that your resolver is working) and fill a 
predefined table from that script. i.e. "pfctl -t mytable -T add 
foo.bar.local"

-- 
/"\  Best regards,                      | mlaier@freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier@EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200807171711.51208.max>