[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Using DNS names in pf.conf?

Henning Brauer wrote:
* Kevin <[email protected]> [2005-01-19 21:41]:

Are there any "gotchas" I should know about when using dns names in
pf.conf, specifically in tables used as destinations for permit rules?

well, if DNS is not available by the time pfctl tries to load your pf.conf you're pretty much screwed. and pf is enabled very early at boot.

try it out, and most importantly, get clear about the external dependencies you introduce and their consequences.

I've set my home router up like this and at least on older versions of obsd (I'm currently 2 versions behind) the initial pfctl load comes before named starts so if you run a local name server it will hang. The fix for my system was to reorder startup slightly although this would not work universally.

I'd suggest:
a) keeping names out of pf.conf
b) large blocks of names (for blacklisting/whitelisting) should go into tables as you explained. for cases where tables are overkill, add those host names to /etc/hosts and refresh it from dns when you reboot. if the names go stale between reboots you'll need to manually (or though cron) refresh but if you used dns directly you'd still have to refresh your pf rules when the addr translations go stale so this should not be too much of a problem.