The biggest problem I've run into with using DNS for pf rules is: when PF is first loaded, there is a VERY restrictive ruleset (not allowing NAT, etc). So if you've got a DNS server inside your firewall and you're using rules based on DNS names of hosts that your DNS server is not authoritative for (meaning that your DNS server has to connect to the Internet to get those IP addresses), then those rules will cause pfctl to NOT load your ruleset.
Since I'm only creating rules with hostnames that my internal DNS server (which my firewall uses) can resolve locally, I'm OK. -ME On Wed, 19 Jan 2005 13:02:10 -0600, Kevin <[EMAIL PROTECTED]> wrote: > Are there any "gotchas" I should know about when using dns names in > pf.conf, specifically in tables used as destinations for permit rules? > > The addresses for the hosts change, but relatively rarely. Is it > safe/recommended to include the hostnames in pf.conf, or would it be > better to just create text files listing the hostnames and create cron > jobs to periodically refresh the tables, like this: > > @reboot pfctl -q -Treplace -tcvshosts -f /etc/cvshosts.txt > @weekly pfctl -q -Treplace -tcvshosts -f /etc/cvshosts.txt > > This seems to add complexity where it is not really needed, assuming > there are not risks or race conditions with putting DNS names into > pf.conf and populating the tables at boot time and whenever I manually > reload the ruleset? > > I am running a local caching resolver, but I do also list my ISP's > nameserver in /etc/resolv.conf. > > Thanks, > > Kevin > -- http://mike.erdelynet.com/
