FreeBSD PF and hostname lookups

  • Thread starter LordOfLA
  • https://www.osnn.net/admin.php?templates/thread_view.1970/delete&_xfRedirect=https%3A%2F%2Fwww.osnn.net%2Fadmin.php%3Ftemplates%2Foutdated Start date

LordOfLA

Godlike!
Joined
2 Feb 2004
Messages
7,026
While I google around on this I'll throw this out to you guys too.

Is it possible to have the following in a PF ruleset:

trusted_hosts = "{ 10.0.0.1/8, my.host.name }"

?
 

Geffy

OSNN Veteran Addict
Joined
18 Mar 2002
Messages
7,805
According to the "OpenBSD PF Packet Filter Book" in your rules you obviously use "addresses", well an "address" is defined as one of the following (there are a few more but these are the main ones)

The third one should be the one you are after

  • A single IPv4 or IPv6 address.
  • A CIDR network block.
  • A fully qualified domain name that will be resolved via DNS when the ruleset is loaded. All resulting IP addresses will be substituted into the rule
  • The name of a network interface. Any IP addresses assigned to the interface will be substituted into the rule.
  • The name of a network interface followed by a /netmask (i.e., /24). Each IP address on the interface is combined with the netmask to form a CIDR network block which is substituted into the rule.
  • The name of a network interface in parentheses (). This tells PF to update the rule if the IP address(es) on the named interface change. This is useful on an interface that gets its IP address dynamically via DHCP or dial-up as the ruleset doesn't have to be reloaded each time the address changes.

The mailing list post you linked to is from 2004 which is a bit old ;)
 

X-Istence

*
Political Access
Joined
5 Dec 2001
Messages
6,498
A fully qualified domain name does not work on my 6.2-RELEASE gateway
 

LordOfLA

Godlike!
Joined
2 Feb 2004
Messages
7,026
works just fas as linked in my second post for me. 6.2-rel-p5.

I'm hoping that the one-liner the guy provided will allow for potentially changing dynamic ip's to be set in a static firewall rule.
 

Dark Atheist

OSNN Veteran Addict
Political Access
Joined
8 Apr 2003
Messages
6,376
this is my pf.rules now

ext_if = "re0"
int_if = "em0"

block in on $ext_if from any to any
pass in on $int_if from { 164.168.1.1/24 } to any
pass in on $ext_if from { 192.168.1.1/24 } to any
pass in on $ext_if from { 12.34.56.78, 15.16.17.18, 34.24.32.18 } to { 80, 443, 2010, 9000:9200 }

now from the link above i see i would have to add something like

table <dns:www.berger.to> { www.berger.to }
pass in proto tcp to <dns:www.berger.to> port 22

to allow dns names, would i have tp put something like that in for all the ports listed in my rules or could i add

pass in on $ext_if from table <dns:www.berger.to> { www.berger.to }
pass in proto tcp to <dns:www.berger.to> port
80, 443, 2010, 9000:9200 ?

Thanks
 

Geffy

OSNN Veteran Addict
Joined
18 Mar 2002
Messages
7,805
pass in proto tcp to <dns:berger.to> port { 80 443 2010 9000:9200 }

would probably be right. The 4.7 version of PF can lookup DNS now I think but its not been merged into 6.3 and I'm not sure if its in 7.0 yet either.
 

X-Istence

*
Political Access
Joined
5 Dec 2001
Messages
6,498
The reason you need to create the table is to that it can be dynamically updated, using that one-liner that LordOfLA found. Otherwise the only time that a rule would be getting an IP address is when you load/reload the rule set, which would mean that if the IP address for berger.to changes, your firewall won't know about it.
 

X-Istence

*
Political Access
Joined
5 Dec 2001
Messages
6,498
What you could do Carpo is this:

Code:
table <dns:www.berger.to> { www.berger.to } 
pass in on $ext_if from <dns:www.berger.to>
pass in proto tcp to <dns:www.berger.to> port {80 443 2010 9000:9200}

You only have to define the table once.
 

Dark Atheist

OSNN Veteran Addict
Political Access
Joined
8 Apr 2003
Messages
6,376
bit moot as my freebsd pc has died - looks like mobo has gone :( but will keep it for reference, think i still have a p4 1.8 laying about somewhere i could use :)
 

Geffy

OSNN Veteran Addict
Joined
18 Mar 2002
Messages
7,805
The reason you need to create the table is to that it can be dynamically updated, using that one-liner that LordOfLA found. Otherwise the only time that a rule would be getting an IP address is when you load/reload the rule set, which would mean that if the IP address for berger.to changes, your firewall won't know about it.

I believe you can enclose the hostname in {} and it will be resolved each time for 4.7.
 

Dark Atheist

OSNN Veteran Addict
Political Access
Joined
8 Apr 2003
Messages
6,376
so all i would really need to change is

pass in on $ext_if from { 12.34.56.78, 15.16.17.18, 34.24.32.18 } to { 80, 443, 2010, 9000:9200 }
to
pass in on $ext_if from { some.dns.name1, somedns.name2, somedns.name3, some.dns.name4 } to { 80, 443, 2010, 9000:9200 } ?

What you could do 3Dfiend is this:

Code:
table <dns:www.berger.to> { www.berger.to } 
pass in on $ext_if from <dns:www.berger.to>
pass in proto tcp to <dns:www.berger.to> port {80 443 2010 9000:9200}
You only have to define the table once.

wouldnt i have to put that in for each dns addy ?
 
Last edited:

Geffy

OSNN Veteran Addict
Joined
18 Mar 2002
Messages
7,805
Think you'd need

table <dns:names> { some.dns.name1, somedns.name2, somedns.name3, some.dns.name4 }
pass in on $ext_if from <dns:names> to any port { 80, 443, 2010, 9000:9200 }
 

Dark Atheist

OSNN Veteran Addict
Political Access
Joined
8 Apr 2003
Messages
6,376
ext_if = "re0"
int_if = "em0"

block in on $ext_if from any to any
pass in on $int_if from { 164.168.1.1/24 } to any
pass in on $ext_if from { 192.168.1.1/24 } to any
table <dns:names> { some.dns.name1, somedns.name2, somedns.name3, some.dns.name4 }
pass in on $ext_if from <dns:names> to { 80, 443, 2010, 9000:9200 }

look about right for pf.conf ?
 

Geffy

OSNN Veteran Addict
Joined
18 Mar 2002
Messages
7,805
looks alright, you can check it with

pfctl -n -f /path/to/pf.conf

if you just get your prompt back then the syntax is at least valid
 

Dark Atheist

OSNN Veteran Addict
Political Access
Joined
8 Apr 2003
Messages
6,376
its not working keeps saying syntax error on line 8 - if i comment the last two lines out

table <dns:names> { some.dns.name1, somedns.name2, somedns.name3, some.dns.name4 }
pass in on $ext_if from <dns:names> to { 80, 443, 2010, 9000:9200 }

it works, also its complaining about no ip for 9000:9200

seems pfctl -n -f /etc/pf.conf does not like pass in on $ext_if from <dns:names> to { 80, 443, 2010, 9000:9200 } or pass in on $ext_if from <dns:names> to { 80, 443, 2010 }

edit - found what the prob was for one problem :) but it still doesn't like 9000:9200 , is there any other way to write a range of ports in pf ?
edit2: semi sorted it by removing the ports and just putting any
 
Last edited:

LordOfLA

Godlike!
Joined
2 Feb 2004
Messages
7,026
Might as well turn it off if you're using any :)

When I go to work tommorow I'll dig up the filters I was using before switching the dns servers to debian and using filtering on the distribution switches.
 

Members online

No members online now.

Latest forum posts

Latest profile posts

Xie wrote on Electronic Punk's profile.
Impressed you have kept this alive this long EP! So many sites have come and gone. :(

Just did some crude math and I apparently joined almost 18yrs ago, how is that possible???
hello peeps... is been some time since i last came here.
Electronic Punk wrote on Sazar's profile.
Rest in peace my friend, been trying to find you and finally did in the worst way imaginable.
Terrahertz wrote on Electronic Punk's profile.
Yo fellas!
Electronic Punk wrote on Sazar's profile.
Where are you buddy?

Forum statistics

Threads
62,000
Messages
673,429
Members
5,596
Latest member
Joshua Liansky