[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Using DNS names in pf.conf?

On Wed, Jan 19, 2005 at 01:02:10PM -0600, Kevin wrote:
> Are there any "gotchas" I should know about when using dns names in
> pf.conf, specifically in tables used as destinations for permit rules?
  it is a good idea to reduce to an absolute minimum the amount
  of dependency type lookups pf has to do to parse your pf.conf.
  it is extreme, and no doubt i have bigger problems of my own if
  a condition where pf had no access to read /etc/passwd or /etc/services
  or /etc/protocols, but i try to even use raw numbers for these 
  to circumvent pf having to do lookups on those files. [1] 
  if one of those lookups fails, parsing will fail, and the ruleset
  won't be loaded.
  your idea of populating a table is much safer.
> The addresses for the hosts change, but relatively rarely. Is it
> safe/recommended to include the hostnames in pf.conf, or would it be
> better to just create text files listing the hostnames and create cron
> jobs to periodically refresh the tables, like this:
>     @reboot     pfctl -q -Treplace -tcvshosts -f /etc/cvshosts.txt
>     @weekly     pfctl -q -Treplace -tcvshosts -f /etc/cvshosts.txt
> This seems to add complexity where it is not really needed, assuming
> there are not risks or race conditions with putting DNS names into
> pf.conf and populating the tables at boot time and whenever I manually
> reload the ruleset?
> I am running a local caching resolver, but I do also list my ISP's
> nameserver in /etc/resolv.conf.
  naturally that reduces the chance that a DNS lookup will fail, 
  but it is still relying on something that could break.
  if you use the table/population method, worst case is your table
  fails to get populated if the file /etc/cvshosts.txt doesn't have
  the expected data, but pf is ok with having a table with no addresses
  in it much more than it is with trying to find out if there are
  addresses to be put in but having no way to successfully complete
  the investigation.
  assuming you go with the DNS lookup method, you'll change your mind
  the instant you forget to setup something right and the DNS lookup
  fails and your ruleset barfs :P
[1] - instead, i define a macro at the top, such as 'ssh=22' and then
  later i use "port $ssh" rather than "port ssh".  
[ openbsd 3.6 GENERIC ( dec 11 ) // i386 ]