Falk Husemann wrote:
[EMAIL PROTECTED] wrote:
That doesn`t mean I can use *.google.com but I would be able to use
www.google.com if I understood the FAQ and the manual correctly.
Because I may not be bale to know every Hostname in a foreign network a
Joker would be a neat solution.
Is it maybe planed to add any joker to PF so that such stuff would be
possible in the future if it isn`t already possible?
Why isn't it feasible to use Googles allocated netblock (216.239.32.0/19)?
It is feasible to block any numeric network block.
What isn't feasible is to look at a DNS name and think that you can come
up with simple PF rules that will block it.
Maybe you could use a script to update a table in pf using whois and
grep for the CIDR/Netrange in the reply.
Maybe you could for your application.
However, this is not a generic solution at all.
Here's an example:
at the office I work at, we used to have a firewall which claimed to block
by DNS name, just as is being discussed. What it really did is exactly
what you propose: periodically, it would do some DNS queries, and populate
a table, and block those IP addresses.
It was decided that our users should not have access to webmail from our
offices, so mail.google.com was blocked, but www.google.com was ok.
Here's what happened (warning: vast oversimplifications here!):
A DNS query for mail.google.com returned a set of IP addresses. A small
subset of the actual addresses that served mail.google.com. That's the
way DNS can work: if there are five hundred machines that respond to a
particular name, a single DNS query might return eight. Or one.
Whatever.
What this firewall didn't know is mail.google.com machines were the
EXACT same machines as www.google.com. So, the results of the block was,
uh..entertaining. Two people in the same department with the same
network privileges would try to go to google, and one would get what
the expected, the one next to them would get the "This site is blocked!"
page. If I had thought to look for it, we'd have seen the same behavior
for people trying to get to gmail -- some would be blocked, most would get
through. Took a while to debug that one, as I really never figured
someone would put such a clearly flawed feature in a commercial firewall
product. :) (silly me, work with OpenBSD too long, you forget to think
about buzzword compliance and management pressures to "do something!", no
matter how idiotic.)
Today, many big "sites" use world-wide distributed front-end services
like Akamai. Many of them use the SAME world-wide distributed
front-end service -- so what you do by IP address (for example) to
google.com might impact microsoft.com and apple.com, which is probably
not what you intend. PF, can easily block every single address of every
single Akamai server, but that won't necessarily do what you want.
I've been a fan of DNS mangling to deal with this problem for some time.
Technically, it is a horribly flawed system. Practically, it works, and
works very easily. More:
http://www.holland-consulting.net/tech/imblock.html
Nick.
