FreeBSD PF and hostname lookups

LordOfLA

Godlike!
Joined
2 Feb 2004
Messages
7,026
While I google around on this I'll throw this out to you guys too.

Is it possible to have the following in a PF ruleset:

trusted_hosts = "{ 10.0.0.1/8, my.host.name }"

?
 
According to the "OpenBSD PF Packet Filter Book" in your rules you obviously use "addresses", well an "address" is defined as one of the following (there are a few more but these are the main ones)

The third one should be the one you are after

  • A single IPv4 or IPv6 address.
  • A CIDR network block.
  • A fully qualified domain name that will be resolved via DNS when the ruleset is loaded. All resulting IP addresses will be substituted into the rule
  • The name of a network interface. Any IP addresses assigned to the interface will be substituted into the rule.
  • The name of a network interface followed by a /netmask (i.e., /24). Each IP address on the interface is combined with the netmask to form a CIDR network block which is substituted into the rule.
  • The name of a network interface in parentheses (). This tells PF to update the rule if the IP address(es) on the named interface change. This is useful on an interface that gets its IP address dynamically via DHCP or dial-up as the ruleset doesn't have to be reloaded each time the address changes.

The mailing list post you linked to is from 2004 which is a bit old ;)
 
A fully qualified domain name does not work on my 6.2-RELEASE gateway
 
works just fas as linked in my second post for me. 6.2-rel-p5.

I'm hoping that the one-liner the guy provided will allow for potentially changing dynamic ip's to be set in a static firewall rule.
 
this is my pf.rules now

ext_if = "re0"
int_if = "em0"

block in on $ext_if from any to any
pass in on $int_if from { 164.168.1.1/24 } to any
pass in on $ext_if from { 192.168.1.1/24 } to any
pass in on $ext_if from { 12.34.56.78, 15.16.17.18, 34.24.32.18 } to { 80, 443, 2010, 9000:9200 }

now from the link above i see i would have to add something like

table <dns:www.berger.to> { www.berger.to }
pass in proto tcp to <dns:www.berger.to> port 22

to allow dns names, would i have tp put something like that in for all the ports listed in my rules or could i add

pass in on $ext_if from table <dns:www.berger.to> { www.berger.to }
pass in proto tcp to <dns:www.berger.to> port
80, 443, 2010, 9000:9200 ?

Thanks
 
pass in proto tcp to <dns:berger.to> port { 80 443 2010 9000:9200 }

would probably be right. The 4.7 version of PF can lookup DNS now I think but its not been merged into 6.3 and I'm not sure if its in 7.0 yet either.
 
The reason you need to create the table is to that it can be dynamically updated, using that one-liner that LordOfLA found. Otherwise the only time that a rule would be getting an IP address is when you load/reload the rule set, which would mean that if the IP address for berger.to changes, your firewall won't know about it.
 
What you could do Carpo is this:

Code:
table <dns:www.berger.to> { www.berger.to } 
pass in on $ext_if from <dns:www.berger.to>
pass in proto tcp to <dns:www.berger.to> port {80 443 2010 9000:9200}

You only have to define the table once.
 
bit moot as my freebsd pc has died - looks like mobo has gone :( but will keep it for reference, think i still have a p4 1.8 laying about somewhere i could use :)
 
The reason you need to create the table is to that it can be dynamically updated, using that one-liner that LordOfLA found. Otherwise the only time that a rule would be getting an IP address is when you load/reload the rule set, which would mean that if the IP address for berger.to changes, your firewall won't know about it.

I believe you can enclose the hostname in {} and it will be resolved each time for 4.7.
 
so all i would really need to change is

pass in on $ext_if from { 12.34.56.78, 15.16.17.18, 34.24.32.18 } to { 80, 443, 2010, 9000:9200 }
to
pass in on $ext_if from { some.dns.name1, somedns.name2, somedns.name3, some.dns.name4 } to { 80, 443, 2010, 9000:9200 } ?

What you could do 3Dfiend is this:

Code:
table <dns:www.berger.to> { www.berger.to } 
pass in on $ext_if from <dns:www.berger.to>
pass in proto tcp to <dns:www.berger.to> port {80 443 2010 9000:9200}
You only have to define the table once.

wouldnt i have to put that in for each dns addy ?
 
Last edited:
Think you'd need

table <dns:names> { some.dns.name1, somedns.name2, somedns.name3, some.dns.name4 }
pass in on $ext_if from <dns:names> to any port { 80, 443, 2010, 9000:9200 }
 
ext_if = "re0"
int_if = "em0"

block in on $ext_if from any to any
pass in on $int_if from { 164.168.1.1/24 } to any
pass in on $ext_if from { 192.168.1.1/24 } to any
table <dns:names> { some.dns.name1, somedns.name2, somedns.name3, some.dns.name4 }
pass in on $ext_if from <dns:names> to { 80, 443, 2010, 9000:9200 }

look about right for pf.conf ?
 
looks alright, you can check it with

pfctl -n -f /path/to/pf.conf

if you just get your prompt back then the syntax is at least valid
 
its not working keeps saying syntax error on line 8 - if i comment the last two lines out

table <dns:names> { some.dns.name1, somedns.name2, somedns.name3, some.dns.name4 }
pass in on $ext_if from <dns:names> to { 80, 443, 2010, 9000:9200 }

it works, also its complaining about no ip for 9000:9200

seems pfctl -n -f /etc/pf.conf does not like pass in on $ext_if from <dns:names> to { 80, 443, 2010, 9000:9200 } or pass in on $ext_if from <dns:names> to { 80, 443, 2010 }

edit - found what the prob was for one problem :) but it still doesn't like 9000:9200 , is there any other way to write a range of ports in pf ?
edit2: semi sorted it by removing the ports and just putting any
 
Last edited:
Might as well turn it off if you're using any :)

When I go to work tommorow I'll dig up the filters I was using before switching the dns servers to debian and using filtering on the distribution switches.
 

Members online

No members online now.

Latest profile posts

Also Hi EP and people. I found this place again while looking through a oooollllllldddd backup. I have filled over 10TB and was looking at my collection of antiques. Any bids on the 500Mhz Win 95 fix?
Any of the SP crew still out there?
Xie wrote on Electronic Punk's profile.
Impressed you have kept this alive this long EP! So many sites have come and gone. :(

Just did some crude math and I apparently joined almost 18yrs ago, how is that possible???
hello peeps... is been some time since i last came here.
Electronic Punk wrote on Sazar's profile.
Rest in peace my friend, been trying to find you and finally did in the worst way imaginable.

Forum statistics

Threads
62,015
Messages
673,494
Members
5,621
Latest member
naeemsafi
Back