Hi,
You can use the following to achieve what you are looking for - not tested...
pf.conf:
table <goodguys> persist file "/etc/pfgoodips.txt" {}
shell script:
# chmod u+x /usr/local/scripts/updategood.sh
# cat /usr/local/scripts/updategood.sh
#!/bin/sh -x
# cd to a known directory, just for safety
cd /tmp
NEWGOOD="/etc/newgoodips.txt"
PFGOOD="/etc/pfgoodips.txt"
OLDGOOD="/etc/oldgoodips.txt"
/bin/rm -f $NEWGOOD
# we create the file first so that all the lines that
# insert data can use ">>" not the first one using ">"
# better for looping
touch $NEWGOOD
# add all your good dns names here:
dig +short something.somewhere.com >> $NEWGOOD
dig +short somethingelse.somewhere.com >> $NEWGOOD
# add good ips here:
echo "xxx.yyy.zzz.qqq" >> $NEWGOOD
# done with good ips
mv $PFGOOD $OLDGOOD
cp $NEWGOOD $PFGOOD
# now update the table in pf
pfctl -T replace -f $PFGOOD
crontab:
# crontab -l
# when the machine is rebooted we want to update the addresses right away:
@reboot /usr/local/scripts/updategood.sh > /tmp/updategood.out 2>&1
# depending on how often the ips change, change the frequency of this script
1 0 * * * cd /tmp;/usr/local/scripts/updategood.sh > /tmp/updategood.out 2>&1
Leslie Jensen wrote:
Peter N. M. Hansteen skrev:
Leslie Jensen <[EMAIL PROTECTED]> writes:
With DNS names? That's likely to be your problem.
Oh, I didn't know that! Can you tell me how to handle this?
The problem is that this makes your ruleset load dependent on working
name resolution, which may not be available at the time rc starts pf
and loads your rule set.
The problem is these hosts are not fixed IP's so they use no-ip
(http://www.no-ip.com/) to provide a fixed address.
That doesn't make things any easier, unfortunately. I'd say by all
means define the table, but wait until somewhere in your rc.local to
fill in those addresses (say, with a script that checks if each name
resolves, then adds the returned addresses to the table). Brittle,
but with a fighting chance of working.
Now I'm not exactly a script kid ;-) Could you Please give me some hints
on how to do this?
Thanks
/Leslie
