Can ipfw Rules Be Based On DNS Name
Doug McIntyre
merlyn at geeks.org
Thu Aug 12 14:04:25 UTC 2021
On Wed, Aug 11, 2021 at 05:20:07PM -0700, Michael Sierchio wrote:
> You can maintain a table of addresses, and check that with a single rule.
> You can add and delete CIDR blocks and IPv6 prefixes without changing the
> ruleset or restarting the firewall. How you might do that is a non-trivial
> problem. How do you find all the IP addresses associated with a particular
> domain?
That's what I've done in the past, created a table referenced in IPFW,
then some sort of process that periodically checks the domain name
resolution, and updates the table if the IP addresses change.
Obviously, you are going to need to know what set of names they will
be coming from. It is unlikely that somebody would be coming from
*.lab.domain.com, its probably going to be much more likely to be from
some small set of DNS entries.
This is the way commercial firewalls work too. If you setup a policy
in a Fortigate based on FQDN, it will only periodically go through and
update the IP addresses based on FQDNs. There could be a period where the
refresh procedure hasn't kicked off yet, and somebody connects after a DNS update.
More information about the freebsd-questions
mailing list