[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Using DNS names in pf.conf?
On Wed, Jan 19, 2005 at 01:02:10PM -0600, Kevin wrote:
> Are there any "gotchas" I should know about when using dns names in
> pf.conf, specifically in tables used as destinations for permit rules?
it is a good idea to reduce to an absolute minimum the amount
of dependency type lookups pf has to do to parse your pf.conf.
it is extreme, and no doubt i have bigger problems of my own if
a condition where pf had no access to read /etc/passwd or /etc/services
or /etc/protocols, but i try to even use raw numbers for these
to circumvent pf having to do lookups on those files. 
if one of those lookups fails, parsing will fail, and the ruleset
won't be loaded.
your idea of populating a table is much safer.
> The addresses for the hosts change, but relatively rarely. Is it
> safe/recommended to include the hostnames in pf.conf, or would it be
> better to just create text files listing the hostnames and create cron
> jobs to periodically refresh the tables, like this:
> @reboot pfctl -q -Treplace -tcvshosts -f /etc/cvshosts.txt
> @weekly pfctl -q -Treplace -tcvshosts -f /etc/cvshosts.txt
> This seems to add complexity where it is not really needed, assuming
> there are not risks or race conditions with putting DNS names into
> pf.conf and populating the tables at boot time and whenever I manually
> reload the ruleset?
> I am running a local caching resolver, but I do also list my ISP's
> nameserver in /etc/resolv.conf.
naturally that reduces the chance that a DNS lookup will fail,
but it is still relying on something that could break.
if you use the table/population method, worst case is your table
fails to get populated if the file /etc/cvshosts.txt doesn't have
the expected data, but pf is ok with having a table with no addresses
in it much more than it is with trying to find out if there are
addresses to be put in but having no way to successfully complete
assuming you go with the DNS lookup method, you'll change your mind
the instant you forget to setup something right and the DNS lookup
fails and your ruleset barfs :P
 - instead, i define a macro at the top, such as 'ssh=22' and then
later i use "port $ssh" rather than "port ssh".
[ openbsd 3.6 GENERIC ( dec 11 ) // i386 ]