The main problem you need to solve or work around is the situation where the name you want to resolve doesn't at *ruleset load* and you end up with an invalid ruleset. In sane setups, the system would then run with either the default rules (check /etc/rc) or the previous version of your ruleset.
The easiest way to compensate for IP addresses that may change and avoid reloading the rules is to stick the possibly-changing addresses into tables that your rules reference, and run a script that resolves the names you're interested in and updates (replaces) table contents with the result of that script at whatever intervals you need (this is what cron was made for). That script could even put the results into files that you can then use as source for the initial values for table contents. Basically I think your scenario is easily solved with a reasonably structured set of PF rules and some fairly straightforward scripting involving host and pfctl commands. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
