On Wed, Jan 19, 2005 at 01:02:10PM -0600, Kevin wrote: > Are there any "gotchas" I should know about when using dns names in > pf.conf, specifically in tables used as destinations for permit rules?
it is a good idea to reduce to an absolute minimum the amount of dependency type lookups pf has to do to parse your pf.conf. it is extreme, and no doubt i have bigger problems of my own if a condition where pf had no access to read /etc/passwd or /etc/services or /etc/protocols, but i try to even use raw numbers for these to circumvent pf having to do lookups on those files. [1] if one of those lookups fails, parsing will fail, and the ruleset won't be loaded. your idea of populating a table is much safer. > The addresses for the hosts change, but relatively rarely. Is it > safe/recommended to include the hostnames in pf.conf, or would it be > better to just create text files listing the hostnames and create cron > jobs to periodically refresh the tables, like this: > > @reboot pfctl -q -Treplace -tcvshosts -f /etc/cvshosts.txt > @weekly pfctl -q -Treplace -tcvshosts -f /etc/cvshosts.txt > > This seems to add complexity where it is not really needed, assuming > there are not risks or race conditions with putting DNS names into > pf.conf and populating the tables at boot time and whenever I manually > reload the ruleset? > > I am running a local caching resolver, but I do also list my ISP's > nameserver in /etc/resolv.conf. naturally that reduces the chance that a DNS lookup will fail, but it is still relying on something that could break. if you use the table/population method, worst case is your table fails to get populated if the file /etc/cvshosts.txt doesn't have the expected data, but pf is ok with having a table with no addresses in it much more than it is with trying to find out if there are addresses to be put in but having no way to successfully complete the investigation. assuming you go with the DNS lookup method, you'll change your mind the instant you forget to setup something right and the DNS lookup fails and your ruleset barfs :P jared [1] - instead, i define a macro at the top, such as 'ssh=22' and then later i use "port $ssh" rather than "port ssh". -- [ openbsd 3.6 GENERIC ( dec 11 ) // i386 ]
