On Thu, Sep 8, 2011 at 01:13, Theo de Raadt <dera...@cvs.openbsd.org> wrote:
>> For example, is it possible to block a well-known social networking >> site which resolves to multiple IP addresses, using a PF table >> <socialnet> with just the hostname of the website? > No. B What you want is to expand to all of the addresses. B Since > address keep being added for such hostnames on the fly, it won't > work. Blocking those hosts by IP is highly impractical given the reasons you noted, and I'll add that it's usually a *really* bad idea to block the CDNs by IP unless Gerard also wants to block his users from Microsoft's update service, support.dell.com and a few other "big names". Been there, done that, suffered the resulting black eye. Gerard - if this is to meet some policy that you can't influence then use Squid with wildcards on the domains, play tricks in DNS if you need to, then hope your users aren't proxying connections via outside connections - all they need is one arbitrary port open to one arbitrary host and you can be completely blind to what they're doing. If you *can* influence the policy, consider a default deny with whitelisting for necessary destinations/ports. kmw