> On Tue, Jun 14, 2016 at 09:29:33PM +0300, atar wrote:
>>> atar wrote on 06/14/2016 16:05:
>>>>> atar wrote on 06/14/2016 14:52:
>>>
>>> [...]
>>>
>>>>>> The hostname "google.com" isn't blocked since its current ip differs
>>>>>> from its previous ip when pf has loaded the rule, what can I do in order
>>>>>> to be able to block such sites (with many ip addresses)?
>>>>>
>>>>> I would use tables and populate them periodically from shell script which
>>>>> can do FQDN to many IPs resolution.
>>>>>
>>>>> It can be simple as this
>>>>>
>>>>> host yahoo.com | awk '$0 ~ /has address/ { print $4 }' >
>>>>> /var/run/pf.yahoo_table
>>>>> pfctl -t yahoo_table -T replace -f /var/run/pf.yahoo.table
>>>>>
>>>>> I am sure you will find better solution :)
>>>>>
>>>>> Miroslav Lachman
>>>> Thanks for your answer, it is an interested idea.
>>>>
>>>> However, is this method of update periodically the pf tables not disturb
>>>> or burden the performance of the pf filter engine especially if the script
>>>> that update the tables runs too often?
>>>
>>>
>>> How often is "too often"?
>>> I think that updating the tables every 5 minutes is enough (no one uses
>>> shorter TTL for DNS entries)
>>> The nicest thing on PF tables is you don't need to reload PF and tables can
>>> live in memory (not need for persistent file on filesystem) so all
>>> operations are really quick.
>>> Our PF firewalls are using tables with thousands of entries without any
>>> issues.
>>> I don't see any trouble even if you will update tables each minute.
>>>
>>> Miroslav Lachman
>>
>> Thanks again for replying.
>>
>> I don't know why, but even refresh rate of one minute isn't enough for the
>> domains google.com or gmail.com.
>>
>> Even immediately after I load the table which has the rule to block the
>> above mentioned domains I am still able to access those domains. Sometimes
>> it is indeed blocked for a half of a minute but finally the chromium browser
>> succeed to load them.
>
> If you are looking at blocking HTTP traffic the only way I am aware to
> effectively block that without jumping through a lot of hoops is to
> use something like squid which can block based on domain, no matter what
> the current IP address returned from DNS is. You can use PF to
> transparently proxy traffic exiting your gateway to squid so there
> is no need to worry about proxy settings in the browser(s)
>
>
> www.google.com DNS TTLs are 5 minutes so you shouldn't have to worry
> about the IP changing in less then a minute UNLESS your PF firewall
> and your browser use different DNS servers and could therefore get
> different answers
>
> Regards,
>
> Gary
Hi Gary and thanks for replying.
After some searching I've found that page:
https://doc.pfsense.org/index.php/Blocking_websites which says similar things
as you said, especially on hostnames that have wide range of ips.
Thank you men about your kind support!
Atar.
_______________________________________________
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
