On Thu, 13 Feb 2003, Cedric Berger wrote: > Bryan Irvine wrote: > > >Can you use DNS names instead of IP addresses? Every example I find > >uses IP addresses. It's not that big of a deal. I'm converting an > >ipchains list into PF and it uses a lot of names. I'd like to skip the > >step of looking them all up if I can... > > > Yes you can use DNS names. > You can also use interface names, or tables if you've > a big list of IP addresses to add for one rule. > Cedric
Re: Bryan Irvine ...But be careful. Resolving biz is done at parsing time. Your rules won't be dynamic in addressing. e.g: block out on $extIf from any to www.example.com port 80 can be useless when the Example Inc. guys change their web server's ip address. You've to reload therule set with pfctl again. P.S: Maybe I'm wrong? host_dns() function in pfctl_parser.c (and the whole pfctl_parser.c) makes me think like this. Regards, -bdd
