FreeBSD PF and hostname lookups

LordOfLA

Godlike!
Joined
2 Feb 2004
Messages
7,026
While I google around on this I'll throw this out to you guys too.

Is it possible to have the following in a PF ruleset:

trusted_hosts = "{ 10.0.0.1/8, my.host.name }"

?
 

Geffy

OSNN Veteran Addict
Joined
18 Mar 2002
Messages
7,805
According to the "OpenBSD PF Packet Filter Book" in your rules you obviously use "addresses", well an "address" is defined as one of the following (there are a few more but these are the main ones)

The third one should be the one you are after

  • A single IPv4 or IPv6 address.
  • A CIDR network block.
  • A fully qualified domain name that will be resolved via DNS when the ruleset is loaded. All resulting IP addresses will be substituted into the rule
  • The name of a network interface. Any IP addresses assigned to the interface will be substituted into the rule.
  • The name of a network interface followed by a /netmask (i.e., /24). Each IP address on the interface is combined with the netmask to form a CIDR network block which is substituted into the rule.
  • The name of a network interface in parentheses (). This tells PF to update the rule if the IP address(es) on the named interface change. This is useful on an interface that gets its IP address dynamically via DHCP or dial-up as the ruleset doesn't have to be reloaded each time the address changes.

The mailing list post you linked to is from 2004 which is a bit old ;)
 

X-Istence

*
Political Access
Joined
5 Dec 2001
Messages
6,498
A fully qualified domain name does not work on my 6.2-RELEASE gateway
 

LordOfLA

Godlike!
Joined
2 Feb 2004
Messages
7,026
works just fas as linked in my second post for me. 6.2-rel-p5.

I'm hoping that the one-liner the guy provided will allow for potentially changing dynamic ip's to be set in a static firewall rule.
 

Dark Atheist

OSNN Veteran Addict
Political Access
Joined
8 Apr 2003
Messages
6,376
this is my pf.rules now

ext_if = "re0"
int_if = "em0"

block in on $ext_if from any to any
pass in on $int_if from { 164.168.1.1/24 } to any
pass in on $ext_if from { 192.168.1.1/24 } to any
pass in on $ext_if from { 12.34.56.78, 15.16.17.18, 34.24.32.18 } to { 80, 443, 2010, 9000:9200 }

now from the link above i see i would have to add something like

table <dns:www.berger.to> { www.berger.to }
pass in proto tcp to <dns:www.berger.to> port 22

to allow dns names, would i have tp put something like that in for all the ports listed in my rules or could i add

pass in on $ext_if from table <dns:www.berger.to> { www.berger.to }
pass in proto tcp to <dns:www.berger.to> port
80, 443, 2010, 9000:9200 ?

Thanks
 

Geffy

OSNN Veteran Addict
Joined
18 Mar 2002
Messages
7,805
pass in proto tcp to <dns:berger.to> port { 80 443 2010 9000:9200 }

would probably be right. The 4.7 version of PF can lookup DNS now I think but its not been merged into 6.3 and I'm not sure if its in 7.0 yet either.
 

X-Istence

*
Political Access
Joined
5 Dec 2001
Messages
6,498
The reason you need to create the table is to that it can be dynamically updated, using that one-liner that LordOfLA found. Otherwise the only time that a rule would be getting an IP address is when you load/reload the rule set, which would mean that if the IP address for berger.to changes, your firewall won't know about it.
 

X-Istence

*
Political Access
Joined
5 Dec 2001
Messages
6,498
What you could do Carpo is this:

Code:
table <dns:www.berger.to> { www.berger.to } 
pass in on $ext_if from <dns:www.berger.to>
pass in proto tcp to <dns:www.berger.to> port {80 443 2010 9000:9200}

You only have to define the table once.
 

Dark Atheist

OSNN Veteran Addict
Political Access
Joined
8 Apr 2003
Messages
6,376
bit moot as my freebsd pc has died - looks like mobo has gone :( but will keep it for reference, think i still have a p4 1.8 laying about somewhere i could use :)
 

Geffy

OSNN Veteran Addict
Joined
18 Mar 2002
Messages
7,805
The reason you need to create the table is to that it can be dynamically updated, using that one-liner that LordOfLA found. Otherwise the only time that a rule would be getting an IP address is when you load/reload the rule set, which would mean that if the IP address for berger.to changes, your firewall won't know about it.

I believe you can enclose the hostname in {} and it will be resolved each time for 4.7.
 

Dark Atheist

OSNN Veteran Addict
Political Access
Joined
8 Apr 2003
Messages
6,376
so all i would really need to change is

pass in on $ext_if from { 12.34.56.78, 15.16.17.18, 34.24.32.18 } to { 80, 443, 2010, 9000:9200 }
to
pass in on $ext_if from { some.dns.name1, somedns.name2, somedns.name3, some.dns.name4 } to { 80, 443, 2010, 9000:9200 } ?

What you could do 3Dfiend is this:

Code:
table <dns:www.berger.to> { www.berger.to } 
pass in on $ext_if from <dns:www.berger.to>
pass in proto tcp to <dns:www.berger.to> port {80 443 2010 9000:9200}
You only have to define the table once.

wouldnt i have to put that in for each dns addy ?
 
Last edited:

Geffy

OSNN Veteran Addict
Joined
18 Mar 2002
Messages
7,805
Think you'd need

table <dns:names> { some.dns.name1, somedns.name2, somedns.name3, some.dns.name4 }
pass in on $ext_if from <dns:names> to any port { 80, 443, 2010, 9000:9200 }
 

Dark Atheist

OSNN Veteran Addict
Political Access
Joined
8 Apr 2003
Messages
6,376
ext_if = "re0"
int_if = "em0"

block in on $ext_if from any to any
pass in on $int_if from { 164.168.1.1/24 } to any
pass in on $ext_if from { 192.168.1.1/24 } to any
table <dns:names> { some.dns.name1, somedns.name2, somedns.name3, some.dns.name4 }
pass in on $ext_if from <dns:names> to { 80, 443, 2010, 9000:9200 }

look about right for pf.conf ?
 

Geffy

OSNN Veteran Addict
Joined
18 Mar 2002
Messages
7,805
looks alright, you can check it with

pfctl -n -f /path/to/pf.conf

if you just get your prompt back then the syntax is at least valid
 

Dark Atheist

OSNN Veteran Addict
Political Access
Joined
8 Apr 2003
Messages
6,376
its not working keeps saying syntax error on line 8 - if i comment the last two lines out

table <dns:names> { some.dns.name1, somedns.name2, somedns.name3, some.dns.name4 }
pass in on $ext_if from <dns:names> to { 80, 443, 2010, 9000:9200 }

it works, also its complaining about no ip for 9000:9200

seems pfctl -n -f /etc/pf.conf does not like pass in on $ext_if from <dns:names> to { 80, 443, 2010, 9000:9200 } or pass in on $ext_if from <dns:names> to { 80, 443, 2010 }

edit - found what the prob was for one problem :) but it still doesn't like 9000:9200 , is there any other way to write a range of ports in pf ?
edit2: semi sorted it by removing the ports and just putting any
 
Last edited:

LordOfLA

Godlike!
Joined
2 Feb 2004
Messages
7,026
Might as well turn it off if you're using any :)

When I go to work tommorow I'll dig up the filters I was using before switching the dns servers to debian and using filtering on the distribution switches.
 

Members online

No members online now.

Latest forum posts

Latest profile posts

Electronic Punk wrote on Sazar's profile.
Rest in peace my friend, been trying to find you and finally did in the worst way imaginable.
Terrahertz wrote on Electronic Punk's profile.
Yo fellas!
Electronic Punk wrote on Sazar's profile.
Where are you buddy?
Perris Calderon wrote on Electronic Punk's profile.
Hey EP! All good with me, applying for Microsoft MVP right now, should have done this a while ago.

Notifications don't work, I only found your response by coming back to hunt up some threads, if you want, give me your email address so we can keep in touch easier!
Perris Calderon wrote on Electronic Punk's profile.
EP, glad to see you come back and tidy up...did want to ask a one day favor, I want to enhance my resume , was hoping you could make me administrator for a day, if so, take me right off since I won't be here to do anything, and don't know the slightest about the board, but it would be nice putting "served administrator osnn", if can do, THANKS

Been running around Quora lately, luv it there!

Forum statistics

Threads
61,997
Messages
673,413
Members
5,591
Latest member
nodee