> atar wrote on 06/14/2016 16:05:
>>> atar wrote on 06/14/2016 14:52:
>
> [...]
>
>>>> The hostname "google.com" isn't blocked since its current ip differs from
>>>> its previous ip when pf has loaded the rule, what can I do in order to be
>>>> able to block such sites (with many ip addresses)?
>>>
>>> I would use tables and populate them periodically from shell script which
>>> can do FQDN to many IPs resolution.
>>>
>>> It can be simple as this
>>>
>>> host yahoo.com | awk '$0 ~ /has address/ { print $4 }' >
>>> /var/run/pf.yahoo_table
>>> pfctl -t yahoo_table -T replace -f /var/run/pf.yahoo.table
>>>
>>> I am sure you will find better solution :)
>>>
>>> Miroslav Lachman
>> Thanks for your answer, it is an interested idea.
>>
>> However, is this method of update periodically the pf tables not disturb or
>> burden the performance of the pf filter engine especially if the script that
>> update the tables runs too often?
>
>
> How often is "too often"?
> I think that updating the tables every 5 minutes is enough (no one uses
> shorter TTL for DNS entries)
> The nicest thing on PF tables is you don't need to reload PF and tables can
> live in memory (not need for persistent file on filesystem) so all operations
> are really quick.
> Our PF firewalls are using tables with thousands of entries without any
> issues.
> I don't see any trouble even if you will update tables each minute.
>
> Miroslav Lachman
Thanks again for replying.
I don't know why, but even refresh rate of one minute isn't enough for the
domains google.com or gmail.com.
Even immediately after I load the table which has the rule to block the above
mentioned domains I am still able to access those domains. Sometimes it is
indeed blocked for a half of a minute but finally the chromium browser succeed
to load them.
Do you have any idea?
Regards,
Atar.
_______________________________________________
[email protected] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[email protected]"
