[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Using DNS names in pf.conf?



On Wed, 19 Jan 2005 13:02:10 -0600, Kevin <[email protected]> wrote:
> Are there any "gotchas" I should know about when using dns names in
> pf.conf, specifically in tables used as destinations for permit rules?
> 
> The addresses for the hosts change, but relatively rarely. Is it
> safe/recommended to include the hostnames in pf.conf, or would it be
> better to just create text files listing the hostnames and create cron
> jobs to periodically refresh the tables, like this:
> 
>     @reboot     pfctl -q -Treplace -tcvshosts -f /etc/cvshosts.txt
>     @weekly     pfctl -q -Treplace -tcvshosts -f /etc/cvshosts.txt
> 
> This seems to add complexity where it is not really needed, assuming
> there are not risks or race conditions with putting DNS names into
> pf.conf and populating the tables at boot time and whenever I manually
> reload the ruleset?
> 
> I am running a local caching resolver, but I do also list my ISP's
> nameserver in /etc/resolv.conf.
> 
Kevin, If you use dns names in pf.conf make sure that your firewall is
able to contcat DNS servers on port 53 with UDP requests.
If you start your firewall filter rules with a
block all
rule then you need to pass these requests in the subsequent lines
an example is 
# allow UDP requests to port 53 from firewall to exit EXT
# in order to contact internet nameservers (keep state on this connection)
pass out on $EXT \
	proto udp \
	from $EXT to any \
	port 53 \
	keep state
If you want your firewall to contact only your ISP's DNS servers then
use a list and instead of "any" use the corresponding list.
If these UDP requests are not able to exit the firewalls External
interface then using dns name in pf.conf won't work :)))
hope this helps :))
courtesy : ruleset - part II (basic web access)
                http://www.aei.ca/~pmatulis/pub/obsd_pf.html
good luck!!
Kind Regards
Siju