[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Using DNS names in pf.conf?

The biggest problem I've run into with using DNS for pf rules is: when
PF is first loaded, there is a VERY restrictive ruleset (not allowing
NAT, etc).  So if you've got a DNS server inside your firewall and
you're using rules based on DNS names of hosts that your DNS server is
not authoritative for (meaning that your DNS server has to connect to
the Internet to get those IP addresses), then those rules will cause
pfctl to NOT load your ruleset.
Since I'm only creating rules with hostnames that my internal DNS
server (which my firewall uses) can resolve locally, I'm OK.
On Wed, 19 Jan 2005 13:02:10 -0600, Kevin <[email protected]> wrote:
> Are there any "gotchas" I should know about when using dns names in
> pf.conf, specifically in tables used as destinations for permit rules?
> The addresses for the hosts change, but relatively rarely. Is it
> safe/recommended to include the hostnames in pf.conf, or would it be
> better to just create text files listing the hostnames and create cron
> jobs to periodically refresh the tables, like this:
>     @reboot     pfctl -q -Treplace -tcvshosts -f /etc/cvshosts.txt
>     @weekly     pfctl -q -Treplace -tcvshosts -f /etc/cvshosts.txt
> This seems to add complexity where it is not really needed, assuming
> there are not risks or race conditions with putting DNS names into
> pf.conf and populating the tables at boot time and whenever I manually
> reload the ruleset?
> I am running a local caching resolver, but I do also list my ISP's
> nameserver in /etc/resolv.conf.
> Thanks,
> Kevin