Re: [Dnsmasq-discuss] Add IPs to BSD pf table from dnsmasq?

[Chen Wei]

On Fri, Dec 22, 2017 at 09:17:08PM +, Andrew White wrote:
> I've used it for a while on freebsd without issue, configured as per
> dnsmasq man page syntax
> 

Thanks for the max-ttl tip. I have used it on pfSense(based on freebsd)
for several days now. No issue!


> I would add to docs the risk that this feature can lead to a growing table
> of ips that never gets pruned or expired, that could lead to allowing more
> ip addrs within a Table over time, than might be anticipated.  i.e. you
> could end up that the hostname of the endpoint moves ip, but your firewall
> still allows traffic from the old ip, under some circumstance this is a
> significant risk.  I use max-ttl  feature of dnsmasq with the pf Table
> expires feature to prune the table every 15 mins. YMMV as the client using
> this feature would need to support re-resolving ip's.
> 
> On Tue, Dec 19, 2017 at 1:38 AM, Chen Wei  wrote:
> 
> > On Mon, Dec 18, 2017 at 07:21:37PM +, Simon Kelley wrote:
> > > On 17/12/17 08:02, Chen Wei wrote:
> > > > is very fast. Is it possible to add the results of DNS lookup to pf
> > > > table from dnsmasq?
> > > >
> > > Yes, it is. pf tables is supported  on BSD using the same --ipset
> > > dnsmasq configuration option. Looking, there's not explicit
> >

-- 
Chen Wei


___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Add IPs to BSD pf table from dnsmasq?

[Andrew White]

I've used it for a while on freebsd without issue, configured as per
dnsmasq man page syntax

I would add to docs the risk that this feature can lead to a growing table
of ips that never gets pruned or expired, that could lead to allowing more
ip addrs within a Table over time, than might be anticipated.  i.e. you
could end up that the hostname of the endpoint moves ip, but your firewall
still allows traffic from the old ip, under some circumstance this is a
significant risk.  I use max-ttl  feature of dnsmasq with the pf Table
expires feature to prune the table every 15 mins. YMMV as the client using
this feature would need to support re-resolving ip's.

A

On Tue, Dec 19, 2017 at 1:38 AM, Chen Wei  wrote:

> On Mon, Dec 18, 2017 at 07:21:37PM +, Simon Kelley wrote:
> > On 17/12/17 08:02, Chen Wei wrote:
> > > is very fast. Is it possible to add the results of DNS lookup to pf
> > > table from dnsmasq?
> > >
> > Yes, it is. pf tables is supported  on BSD using the same --ipset
> > dnsmasq configuration option. Looking, there's not explicit
>
> This is great. Thanks!
>
>
> > documentation about this, which is bad. It should at least be mentioned
> > in the man page, and any BSD-specific information required added. Not
> > knowing BSD, I'm not sure exactly what that might be.
> > cheers,
> > Simon.
> >
>
> --
> Chen Wei
>
>
> ___
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss