FreeBSD PF and hostname lookups

Discussion in 'Linux & BSD' started by LordOfLA, Jun 28, 2007.

  1. LordOfLA

    LordOfLA Godlike!

    Messages:
    7,027
    Location:
    Maidenhead, Berkshire, UK
    While I google around on this I'll throw this out to you guys too.

    Is it possible to have the following in a PF ruleset:

    trusted_hosts = "{ 10.0.0.1/8, my.host.name }"

    ?
     
  2. LordOfLA

    LordOfLA Godlike!

    Messages:
    7,027
    Location:
    Maidenhead, Berkshire, UK
  3. Geffy

    Geffy Moderator Folding Team

    Messages:
    7,805
    Location:
    United Kingdom
    According to the "OpenBSD PF Packet Filter Book" in your rules you obviously use "addresses", well an "address" is defined as one of the following (there are a few more but these are the main ones)

    The third one should be the one you are after

    • A single IPv4 or IPv6 address.
    • A CIDR network block.
    • A fully qualified domain name that will be resolved via DNS when the ruleset is loaded. All resulting IP addresses will be substituted into the rule
    • The name of a network interface. Any IP addresses assigned to the interface will be substituted into the rule.
    • The name of a network interface followed by a /netmask (i.e., /24). Each IP address on the interface is combined with the netmask to form a CIDR network block which is substituted into the rule.
    • The name of a network interface in parentheses (). This tells PF to update the rule if the IP address(es) on the named interface change. This is useful on an interface that gets its IP address dynamically via DHCP or dial-up as the ruleset doesn't have to be reloaded each time the address changes.

    The mailing list post you linked to is from 2004 which is a bit old ;)
     
  4. X-Istence

    X-Istence * Political User

    Messages:
    6,498
    Location:
    USA
    A fully qualified domain name does not work on my 6.2-RELEASE gateway
     
  5. LordOfLA

    LordOfLA Godlike!

    Messages:
    7,027
    Location:
    Maidenhead, Berkshire, UK
    works just fas as linked in my second post for me. 6.2-rel-p5.

    I'm hoping that the one-liner the guy provided will allow for potentially changing dynamic ip's to be set in a static firewall rule.
     
  6. Dark Atheist

    Dark Atheist Moderator Political User Folding Team

    Messages:
    6,376
    Location:
    In The Void
    this is my pf.rules now

    ext_if = "re0"
    int_if = "em0"

    block in on $ext_if from any to any
    pass in on $int_if from { 164.168.1.1/24 } to any
    pass in on $ext_if from { 192.168.1.1/24 } to any
    pass in on $ext_if from { 12.34.56.78, 15.16.17.18, 34.24.32.18 } to { 80, 443, 2010, 9000:9200 }

    now from the link above i see i would have to add something like

    table <dns:www.berger.to> { www.berger.to }
    pass in proto tcp to <dns:www.berger.to> port 22

    to allow dns names, would i have tp put something like that in for all the ports listed in my rules or could i add

    pass in on $ext_if from table <dns:www.berger.to> { www.berger.to }
    pass in proto tcp to <dns:www.berger.to> port
    80, 443, 2010, 9000:9200 ?

    Thanks
     
  7. Geffy

    Geffy Moderator Folding Team

    Messages:
    7,805
    Location:
    United Kingdom
    pass in proto tcp to <dns:berger.to> port { 80 443 2010 9000:9200 }

    would probably be right. The 4.7 version of PF can lookup DNS now I think but its not been merged into 6.3 and I'm not sure if its in 7.0 yet either.
     
    Dark Atheist likes this.
  8. X-Istence

    X-Istence * Political User

    Messages:
    6,498
    Location:
    USA
    The reason you need to create the table is to that it can be dynamically updated, using that one-liner that LordOfLA found. Otherwise the only time that a rule would be getting an IP address is when you load/reload the rule set, which would mean that if the IP address for berger.to changes, your firewall won't know about it.
     
  9. X-Istence

    X-Istence * Political User

    Messages:
    6,498
    Location:
    USA
    What you could do Carpo is this:

    Code:
    table <dns:www.berger.to> { www.berger.to } 
    pass in on $ext_if from <dns:www.berger.to>
    pass in proto tcp to <dns:www.berger.to> port {80 443 2010 9000:9200}
    You only have to define the table once.
     
  10. Dark Atheist

    Dark Atheist Moderator Political User Folding Team

    Messages:
    6,376
    Location:
    In The Void
    bit moot as my freebsd pc has died - looks like mobo has gone :( but will keep it for reference, think i still have a p4 1.8 laying about somewhere i could use :)
     
  11. Geffy

    Geffy Moderator Folding Team

    Messages:
    7,805
    Location:
    United Kingdom
    I believe you can enclose the hostname in {} and it will be resolved each time for 4.7.
     
  12. Dark Atheist

    Dark Atheist Moderator Political User Folding Team

    Messages:
    6,376
    Location:
    In The Void
    so all i would really need to change is

    pass in on $ext_if from { 12.34.56.78, 15.16.17.18, 34.24.32.18 } to { 80, 443, 2010, 9000:9200 }
    to
    pass in on $ext_if from { some.dns.name1, somedns.name2, somedns.name3, some.dns.name4 } to { 80, 443, 2010, 9000:9200 } ?

    wouldnt i have to put that in for each dns addy ?
     
    Last edited: Mar 26, 2009
  13. Dark Atheist

    Dark Atheist Moderator Political User Folding Team

    Messages:
    6,376
    Location:
    In The Void
  14. Geffy

    Geffy Moderator Folding Team

    Messages:
    7,805
    Location:
    United Kingdom
    Think you'd need

    table <dns:names> { some.dns.name1, somedns.name2, somedns.name3, some.dns.name4 }
    pass in on $ext_if from <dns:names> to any port { 80, 443, 2010, 9000:9200 }
     
  15. Dark Atheist

    Dark Atheist Moderator Political User Folding Team

    Messages:
    6,376
    Location:
    In The Void
    thanks - will give it a go later
     
  16. Dark Atheist

    Dark Atheist Moderator Political User Folding Team

    Messages:
    6,376
    Location:
    In The Void
    ext_if = "re0"
    int_if = "em0"

    block in on $ext_if from any to any
    pass in on $int_if from { 164.168.1.1/24 } to any
    pass in on $ext_if from { 192.168.1.1/24 } to any
    table <dns:names> { some.dns.name1, somedns.name2, somedns.name3, some.dns.name4 }
    pass in on $ext_if from <dns:names> to { 80, 443, 2010, 9000:9200 }

    look about right for pf.conf ?
     
  17. Geffy

    Geffy Moderator Folding Team

    Messages:
    7,805
    Location:
    United Kingdom
    looks alright, you can check it with

    pfctl -n -f /path/to/pf.conf

    if you just get your prompt back then the syntax is at least valid
     
  18. Dark Atheist

    Dark Atheist Moderator Political User Folding Team

    Messages:
    6,376
    Location:
    In The Void
    just rebuilding the kernel to add pf support :)
     
  19. Dark Atheist

    Dark Atheist Moderator Political User Folding Team

    Messages:
    6,376
    Location:
    In The Void
    its not working keeps saying syntax error on line 8 - if i comment the last two lines out

    table <dns:names> { some.dns.name1, somedns.name2, somedns.name3, some.dns.name4 }
    pass in on $ext_if from <dns:names> to { 80, 443, 2010, 9000:9200 }

    it works, also its complaining about no ip for 9000:9200

    seems pfctl -n -f /etc/pf.conf does not like pass in on $ext_if from <dns:names> to { 80, 443, 2010, 9000:9200 } or pass in on $ext_if from <dns:names> to { 80, 443, 2010 }

    edit - found what the prob was for one problem :) but it still doesn't like 9000:9200 , is there any other way to write a range of ports in pf ?
    edit2: semi sorted it by removing the ports and just putting any
     
    Last edited: Mar 8, 2008
  20. LordOfLA

    LordOfLA Godlike!

    Messages:
    7,027
    Location:
    Maidenhead, Berkshire, UK
    Might as well turn it off if you're using any :)

    When I go to work tommorow I'll dig up the filters I was using before switching the dns servers to debian and using filtering on the distribution switches.