On Fri, 2011-01-07 at 16:26 +0530, Girish Venkatachalam wrote: > On Fri, Jan 7, 2011 at 2:43 PM, Martin Schrvder <mar...@oneiros.de> wrote: > >> > >> And consequently pf which does not know a thing about domains does not help > us. > > > > What exactly is the problem you want to solve? > > > > Sorry for having been abstract. > > Here is the detailed explanation. > > One domain translates to around 100 IP addresses.
Yeah, it happens. If you look those IPs up via ARIN's whois[1] server you'll see that they are only a handful of netblocks and you can shove them into a PF table as needed. Have fun maintaining the tables. Because 1) You'll forget to update them periodically 2) You'll be SOL when there is a data center or network issue and suddenly everything is going to another netblock. > > But pf does not agree to using a domain and doing the domain to IP > translation on the fly. If you want to filter based on hostnames instead of IPs, you're going to have to filter based on packet content instead of packet headers. This means either a user space proxy, or have your internal DNS servers claim to be authoritative for those domains[2]. Oh, and if you do go the DNS route, you *WILL* forget to update periodically and you *WILL* be SOL when servers move around. > > Due to this , whatever IP address pf(4) knows at the time of ruleset > loading alone works. > > And I do not want to use a userland proxy. Yeah, and I do not want oodles of hot new blog articles on topics that were interesting and 10-15 years ago... But I know there's no chance of that happening. > > How to do it? In your case I think you should cough up lots money to one of the companies selling a firewall that does deep packet analysis. Perhaps someone here would be kind enough to mention one that's the most expensive appliance that's just an off the shelf PC running *BSD and a transparent squid proxy with pretty GUI front end. Or you could have looked in /usr/ports/www/squid/Makefile and seen that squid in ports is already configured to be usable as a transparent proxy with the aid of pf(4). Grouchy as always, Chris Dukes [1] Around since 1982 although it's changed a bit since then. [2] If you go back to 1995 or so you'll find misguided IT managers using this approach to block big name R rated magazine sites while employees continued to grab increasingly nasty porn with no problems.