On Thursday 17 July 2008 17:19:02 Jeremy Chadwick wrote: > On Thu, Jul 17, 2008 at 05:11:50PM +0200, Max Laier wrote: > > On Thursday 17 July 2008 15:28:49 CZUCZY Gergely wrote: > > > On Thu, 17 Jul 2008 09:13:03 -0400 > > > > > > "Glen Barber" <[EMAIL PROTECTED]> wrote: > > > > On Thu, Jul 17, 2008 at 9:00 AM, Glen Barber > > > > <[EMAIL PROTECTED]> > > > > wrote: > > > > > I was under the assumption the OP runs his own DNS server, as > > > > > that is how my machine was set up. > > > > > > > > Another reason I thought about 'why' the OP used tables - aren't > > > > PF tables evaluated at boot, and macros evaluated when they are > > > > called? I think the latter negates the need for resolving at > > > > boot. Please correct me if I am wrong. > > > > > > Macros are evaluated at pfctl-time. That means, parse-time. Tables > > > are evaluated at runtime (that means, when a lookup is in > > > progress). > > > > DNS lookups are always performed in userland at pfctl-time. It does > > not matter if you put your hostnames into a macro, table or rule > > directly - it will always be looked up by pfctl before even loading > > the rule/table into the kernel. > > > > If you really want to trust DNS lookups to influence your firewall > > rules (3 weeks till dooms day - is your resolver patched?!?) you > > should add an rc.d that depends on NETWORKING (or hook something up > > to ppp.linkup, or whereeverelse you can be sure that your resolver is > > working) and fill a predefined table from that script. i.e. "pfctl -t > > mytable -T add foo.bar.local" > > Which induces another question (probably answered in a post a few weeks > ago, knowing my luck): > > Does pf(4) use gethostbyname()? If so, the OP should be able to add > entries of said FQDNs to /etc/hosts to avoid doing actual recursive DNS > lookups. (I'm curious about this myself, since we have some pf.conf > rules which refer to IPs bound to our servers, and I've always wanted > to switch them over to FQDNs that are listed in /etc/hosts...)
gethostbyname(3), but that should - iirc - also tie into etc/hosts if your nsswitch.conf points there. -- /"\ Best regards, | [EMAIL PROTECTED] \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED] / \ ASCII Ribbon Campaign | Against HTML Mail and News _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"
