Re: Using hostnames in pf rules
Hi all, make a table, and have cron update the contents of this table with the result of the latest resolved ip. Thanks all three for your answers. -- Au revoir, 09 51 84 42 42 Gilles Lamiral. France, Baulon (35580) 06 20 79 76 06
Using hostnames in pf rules
Hello, I need to use an hostname in a pf rule to allow a connection. The hostname is needed because the resolution is dynamic, it can change at any minute (TTL 60). Is there a flag to tell pf to resolve the name each time it tries to match this part? The domain name server is trusted and near/fast the pf host, The rules are written so that this rule is not read often. There's no no problem if pf slows down because of name resolution times. I've seen I can do it with an anchor and a script flushing/adding the hostname each minute or less, I ask if there's a way less complicated and more understandable (reading pf.conf). Thanks in advance. -- Au revoir, 09 51 84 42 42 Gilles Lamiral. France, Baulon (35580) 06 20 79 76 06
Re: Using hostnames in pf rules
make a table, and have cron update the contents of this table with the result of the latest resolved ip. 2013/3/15 Gilles LAMIRAL gilles.lami...@laposte.net Hello, I need to use an hostname in a pf rule to allow a connection. The hostname is needed because the resolution is dynamic, it can change at any minute (TTL 60). Is there a flag to tell pf to resolve the name each time it tries to match this part? The domain name server is trusted and near/fast the pf host, The rules are written so that this rule is not read often. There's no no problem if pf slows down because of name resolution times. I've seen I can do it with an anchor and a script flushing/adding the hostname each minute or less, I ask if there's a way less complicated and more understandable (reading pf.conf). Thanks in advance. -- Au revoir, 09 51 84 42 42 Gilles Lamiral. France, Baulon (35580) 06 20 79 76 06 -- May the most significant bit of your life be positive.
Re: Using hostnames in pf rules
On Fri, Mar 15, 2013 at 11:16:53AM +0100, Gilles LAMIRAL wrote: I need to use an hostname in a pf rule to allow a connection. The hostname is needed because the resolution is dynamic, it can change at any minute (TTL 60). host names in pf.conf and friends are resolved at load time so it's either reload the pf.conf fairly often (a cron job comes to mind) or make the rule refer to a table that will only ever contain the freshly resolved IP address for that hostname and let a sufficiently frequent job (cron or otherwise) update the table with whatever the hostname currently resolves to. I've seen I can do it with an anchor and a script flushing/adding the hostname each minute or less, I ask if there's a way less complicated and more understandable (reading pf.conf). an anchor would work too, so you may have a workable solution there already. All the best, Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Using hostnames in pf rules
2013/3/15 Gilles LAMIRAL gilles.lami...@laposte.net Is there a flag to tell pf to resolve the name each time it tries to match this part? This would mean having a DNS resolver in the kernel; not going to happen. On 2013-03-15, Janne Johansson icepic...@gmail.com wrote: make a table, and have cron update the contents of this table with the result of the latest resolved ip. Yes, this is simpler than using an anchor and a script. Simple one-liner in crontab should do: pfctl -t tablename -Tr hostname
