New pf install on Freebsd7 seem to be a slow starter.

Max Laier max at love2party.net
Thu Jul 17 15:28:06 UTC 2008 

On Thursday 17 July 2008 17:19:02 Jeremy Chadwick wrote:
> On Thu, Jul 17, 2008 at 05:11:50PM +0200, Max Laier wrote:
> > On Thursday 17 July 2008 15:28:49 CZUCZY Gergely wrote:
> > > On Thu, 17 Jul 2008 09:13:03 -0400
> > >
> > > "Glen Barber" <glen.j.barber at gmail.com> wrote:
> > > > On Thu, Jul 17, 2008 at 9:00 AM, Glen Barber
> > > > <glen.j.barber at gmail.com>
> >
> > wrote:
> > > > > I was under the assumption the OP runs his own DNS server, as
> > > > > that is how my machine was set up.
> > > >
> > > > Another reason I thought about 'why' the OP used tables - aren't
> > > > PF tables evaluated at boot, and macros evaluated when they are
> > > > called? I think the latter negates the need for resolving at
> > > > boot.  Please correct me if I am wrong.
> > >
> > > Macros are evaluated at pfctl-time. That means, parse-time. Tables
> > > are evaluated at runtime (that means, when a lookup is in
> > > progress).
> >
> > DNS lookups are always performed in userland at pfctl-time.  It does
> > not matter if you put your hostnames into a macro, table or rule
> > directly - it will always be looked up by pfctl before even loading
> > the rule/table into the kernel.
> >
> > If you really want to trust DNS lookups to influence your firewall
> > rules (3 weeks till dooms day - is your resolver patched?!?) you
> > should add an rc.d that depends on NETWORKING (or hook something up
> > to ppp.linkup, or whereeverelse you can be sure that your resolver is
> > working) and fill a predefined table from that script. i.e. "pfctl -t
> > mytable -T add foo.bar.local"
>
> Which induces another question (probably answered in a post a few weeks
> ago, knowing my luck):
>
> Does pf(4) use gethostbyname()?  If so, the OP should be able to add
> entries of said FQDNs to /etc/hosts to avoid doing actual recursive DNS
> lookups.  (I'm curious about this myself, since we have some pf.conf
> rules which refer to IPs bound to our servers, and I've always wanted
> to switch them over to FQDNs that are listed in /etc/hosts...)

gethostbyname(3), but that should - iirc - also tie into etc/hosts if your 
nsswitch.conf points there.

-- 
/"\  Best regards,                      | mlaier at freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier at EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News

More information about the freebsd-pf mailing list