Filter connections based on the hostname.
Miroslav Lachman
000.fbsd at quip.cz
Tue Jun 14 16:16:49 UTC 2016
atar wrote on 06/14/2016 16:05:
>> atar wrote on 06/14/2016 14:52:
[...]
>>> The hostname "google.com" isn't blocked since its current ip differs from its previous ip when pf has loaded the rule, what can I do in order to be able to block such sites (with many ip addresses)?
>>
>> I would use tables and populate them periodically from shell script which can do FQDN to many IPs resolution.
>>
>> It can be simple as this
>>
>> host yahoo.com | awk '$0 ~ /has address/ { print $4 }' > /var/run/pf.yahoo_table
>> pfctl -t yahoo_table -T replace -f /var/run/pf.yahoo.table
>>
>> I am sure you will find better solution :)
>>
>> Miroslav Lachman
> Thanks for your answer, it is an interested idea.
>
> However, is this method of update periodically the pf tables not disturb or burden the performance of the pf filter engine especially if the script that update the tables runs too often?
How often is "too often"?
I think that updating the tables every 5 minutes is enough (no one uses
shorter TTL for DNS entries)
The nicest thing on PF tables is you don't need to reload PF and tables
can live in memory (not need for persistent file on filesystem) so all
operations are really quick.
Our PF firewalls are using tables with thousands of entries without any
issues.
I don't see any trouble even if you will update tables each minute.
Miroslav Lachman
More information about the freebsd-pf
mailing list