Re: Pf with secondary DNS resolution

2017-05-04 Thread Janne Johansson
2017-05-04 1:56 GMT+02:00 Luke Small : > Four words Peter..."dynamic IP address". I'm sure that there are folks that > ssh into machines that are on a dynamic IP address that don't have a modem > on a power backup, or even possibly on an ISP that may down, possibly when >

Re: Pf with secondary DNS resolution

2017-05-04 Thread Peter N. M. Hansteen
The main problem you need to solve or work around is the situation where the name you want to resolve doesn't at *ruleset load* and you end up with an invalid ruleset. In sane setups, the system would then run with either the default rules (check /etc/rc) or the previous version of your

Re: Pf with secondary DNS resolution

2017-05-04 Thread Florian Ermisch
Am 4. Mai 2017 08:39:51 MESZ schrieb Janne Johansson : >I would make those rules have a table, and a cronjob to feed the table >with >the current ips that these hostnames resolve to. Same here. >But of course, that implies you trust the replies you get all the time >from

Re: Pf with secondary DNS resolution

2017-05-04 Thread Janne Johansson
I would make those rules have a table, and a cronjob to feed the table with the current ips that these hostnames resolve to. But of course, that implies you trust the replies you get all the time from that cronjob. 2017-05-03 22:16 GMT+02:00 Luke Small : > Is it worthwhile

Pf with secondary DNS resolution

2017-05-03 Thread Luke Small
Four words Peter..."dynamic IP address". I'm sure that there are folks that ssh into machines that are on a dynamic IP address that don't have a modem on a power backup, or even possibly on an ISP that may down, possibly when they are out of town. I don't know if it is possible or already done,

Re: Pf with secondary DNS resolution

2017-05-03 Thread Luke Small
Four words Peter..."dynamic IP address". I'm sure that there are folks that ssh into machines that are on a dynamic IP address that don't have a modem on a power backup, or even possibly on an ISP that may down, possibly when they are out of town. I don't know if it is possible or already done,

Re: Pf with secondary DNS resolution

2017-05-03 Thread Peter N. M. Hansteen
On 05/03/17 22:16, Luke Small wrote: > Is it worthwhile to set up a hook for pf to load rules that have URLs after > the network services that can resolve them come into effect? This sounds like you have a pf.conf that contains host names, and for some reason you are not sure that those names

Pf with secondary DNS resolution

2017-05-03 Thread Luke Small
Is it worthwhile to set up a hook for pf to load rules that have URLs after the network services that can resolve them come into effect?