pf blocking nets in a way like *.google.com ?

Thu, 20 Apr 2006 17:00:41 -0700 

Is there any way to block networks by using a joker in the hostname?

Lets take as example google. Google has many different Networks and such foo.
I found no way to block them all (during reading the PF manpage) using
something simple like *.google.com/de/foo.
Is there any way to do this because the IPSec-Framework can handle
Hostnames without problems.

COpy&Paste from the PF-FAQ:

src_addr, dst_addr
    The source/destination address in the IP header. Addresses can be
    specified as:
      + A single IPv4 or IPv6 address.
      + A CIDR network block.
      + A fully qualified domain name that will be resolved via DNS when the
        ruleset is loaded. All resulting IP addresses will be substituted
into
        the rule.
      + The name of a network interface. Any IP addresses assigned to the
        interface will be substituted into the rule.
      + The name of a network interface followed by /netmask (i.e., /24).
Each
        IP address on the interface is combined with the netmask to form a
        CIDR network block which is substituted into the rule.
      + The name of a network interface in parentheses ( ). This tells PF to
        update the rule if the IP address(es) on the named interface change.
        This is useful on an interface that gets its IP address via DHCP or
        dial-up as the ruleset doesn't have to be reloaded each time the
        address changes.
      + The name of a network interface followed by any one of these
        modifiers:
          o :network - substitues the CIDR network block (e.g., 192.168.0.0/
            24)
          o :broadcast - substitutes the network broadcast address (e.g.,
            192.168.0.255)
          o :peer - substitues the peer's IP address on a point-to-point link

            In addition, the :0 modifier can be appended to either an
            interface name or to any of the above modifiers to indicate that
            PF should not include aliased IP addresses in the substituion.
            These modifiers can also be used when the interface is contained
            in parentheses. Example: fxp0:network:0

      + A table.
      + Any of the above but negated using the ! ("not") modifier.
      + A set of addresses using a list.
      + The keyword any meaning all addresses
      + The keyword all which is short for from any to any.

That doesn`t mean I can use *.google.com but I would be able to use
www.google.com if I understood the FAQ and the manual correctly.
Because I may not be bale to know every Hostname in a foreign network a
Joker would be a neat solution.

Is it maybe planed to add any joker to PF so that such stuff would be
possible in the future if it isn`t already possible?


Kind regards,
Sebastian

Reply via email to