• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

FreeBSD PF and hostname lookups

#1
While I google around on this I'll throw this out to you guys too.

Is it possible to have the following in a PF ruleset:

trusted_hosts = "{ 10.0.0.1/8, my.host.name }"

?
 
#3
According to the "OpenBSD PF Packet Filter Book" in your rules you obviously use "addresses", well an "address" is defined as one of the following (there are a few more but these are the main ones)

The third one should be the one you are after

  • A single IPv4 or IPv6 address.
  • A CIDR network block.
  • A fully qualified domain name that will be resolved via DNS when the ruleset is loaded. All resulting IP addresses will be substituted into the rule
  • The name of a network interface. Any IP addresses assigned to the interface will be substituted into the rule.
  • The name of a network interface followed by a /netmask (i.e., /24). Each IP address on the interface is combined with the netmask to form a CIDR network block which is substituted into the rule.
  • The name of a network interface in parentheses (). This tells PF to update the rule if the IP address(es) on the named interface change. This is useful on an interface that gets its IP address dynamically via DHCP or dial-up as the ruleset doesn't have to be reloaded each time the address changes.

The mailing list post you linked to is from 2004 which is a bit old ;)
 
#5
works just fas as linked in my second post for me. 6.2-rel-p5.

I'm hoping that the one-liner the guy provided will allow for potentially changing dynamic ip's to be set in a static firewall rule.
 

Dark Atheist

Moderator
Staff member
Political User
#6
this is my pf.rules now

ext_if = "re0"
int_if = "em0"

block in on $ext_if from any to any
pass in on $int_if from { 164.168.1.1/24 } to any
pass in on $ext_if from { 192.168.1.1/24 } to any
pass in on $ext_if from { 12.34.56.78, 15.16.17.18, 34.24.32.18 } to { 80, 443, 2010, 9000:9200 }

now from the link above i see i would have to add something like

table <dns:www.berger.to> { www.berger.to }
pass in proto tcp to <dns:www.berger.to> port 22

to allow dns names, would i have tp put something like that in for all the ports listed in my rules or could i add

pass in on $ext_if from table <dns:www.berger.to> { www.berger.to }
pass in proto tcp to <dns:www.berger.to> port
80, 443, 2010, 9000:9200 ?

Thanks
 
#7
pass in proto tcp to <dns:berger.to> port { 80 443 2010 9000:9200 }

would probably be right. The 4.7 version of PF can lookup DNS now I think but its not been merged into 6.3 and I'm not sure if its in 7.0 yet either.
 

X-Istence

*
Political User
#8
The reason you need to create the table is to that it can be dynamically updated, using that one-liner that LordOfLA found. Otherwise the only time that a rule would be getting an IP address is when you load/reload the rule set, which would mean that if the IP address for berger.to changes, your firewall won't know about it.
 

X-Istence

*
Political User
#9
What you could do Carpo is this:

Code:
table <dns:www.berger.to> { www.berger.to } 
pass in on $ext_if from <dns:www.berger.to>
pass in proto tcp to <dns:www.berger.to> port {80 443 2010 9000:9200}
You only have to define the table once.
 

Dark Atheist

Moderator
Staff member
Political User
#10
bit moot as my freebsd pc has died - looks like mobo has gone :( but will keep it for reference, think i still have a p4 1.8 laying about somewhere i could use :)
 
#11
The reason you need to create the table is to that it can be dynamically updated, using that one-liner that LordOfLA found. Otherwise the only time that a rule would be getting an IP address is when you load/reload the rule set, which would mean that if the IP address for berger.to changes, your firewall won't know about it.
I believe you can enclose the hostname in {} and it will be resolved each time for 4.7.
 

Dark Atheist

Moderator
Staff member
Political User
#12
so all i would really need to change is

pass in on $ext_if from { 12.34.56.78, 15.16.17.18, 34.24.32.18 } to { 80, 443, 2010, 9000:9200 }
to
pass in on $ext_if from { some.dns.name1, somedns.name2, somedns.name3, some.dns.name4 } to { 80, 443, 2010, 9000:9200 } ?

What you could do 3Dfiend is this:

Code:
table <dns:www.berger.to> { www.berger.to } 
pass in on $ext_if from <dns:www.berger.to>
pass in proto tcp to <dns:www.berger.to> port {80 443 2010 9000:9200}
You only have to define the table once.
wouldnt i have to put that in for each dns addy ?
 
Last edited:
#14
Think you'd need

table <dns:names> { some.dns.name1, somedns.name2, somedns.name3, some.dns.name4 }
pass in on $ext_if from <dns:names> to any port { 80, 443, 2010, 9000:9200 }
 

Dark Atheist

Moderator
Staff member
Political User
#16
ext_if = "re0"
int_if = "em0"

block in on $ext_if from any to any
pass in on $int_if from { 164.168.1.1/24 } to any
pass in on $ext_if from { 192.168.1.1/24 } to any
table <dns:names> { some.dns.name1, somedns.name2, somedns.name3, some.dns.name4 }
pass in on $ext_if from <dns:names> to { 80, 443, 2010, 9000:9200 }

look about right for pf.conf ?
 
#17
looks alright, you can check it with

pfctl -n -f /path/to/pf.conf

if you just get your prompt back then the syntax is at least valid
 

Dark Atheist

Moderator
Staff member
Political User
#19
its not working keeps saying syntax error on line 8 - if i comment the last two lines out

table <dns:names> { some.dns.name1, somedns.name2, somedns.name3, some.dns.name4 }
pass in on $ext_if from <dns:names> to { 80, 443, 2010, 9000:9200 }

it works, also its complaining about no ip for 9000:9200

seems pfctl -n -f /etc/pf.conf does not like pass in on $ext_if from <dns:names> to { 80, 443, 2010, 9000:9200 } or pass in on $ext_if from <dns:names> to { 80, 443, 2010 }

edit - found what the prob was for one problem :) but it still doesn't like 9000:9200 , is there any other way to write a range of ports in pf ?
edit2: semi sorted it by removing the ports and just putting any
 
Last edited:
#20
Might as well turn it off if you're using any :)

When I go to work tommorow I'll dig up the filters I was using before switching the dns servers to debian and using filtering on the distribution switches.
 

Members online

No members online now.

Latest posts

Latest profile posts

Hello, is there anybody in there? Just nod if you can hear me ...
Xie
What a long strange trip it's been. =)

Forum statistics

Threads
61,960
Messages
673,237
Members
89,011
Latest member
grovo_test