[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Using DNS names in pf.conf?

Are there any "gotchas" I should know about when using dns names in
pf.conf, specifically in tables used as destinations for permit rules?
The addresses for the hosts change, but relatively rarely. Is it
safe/recommended to include the hostnames in pf.conf, or would it be
better to just create text files listing the hostnames and create cron
jobs to periodically refresh the tables, like this:
    @reboot     pfctl -q -Treplace -tcvshosts -f /etc/cvshosts.txt
    @weekly     pfctl -q -Treplace -tcvshosts -f /etc/cvshosts.txt
This seems to add complexity where it is not really needed, assuming
there are not risks or race conditions with putting DNS names into
pf.conf and populating the tables at boot time and whenever I manually
reload the ruleset?
I am running a local caching resolver, but I do also list my ISP's
nameserver in /etc/resolv.conf.