On Mon, Nov 24, 2025 at 7:20 AM W. D. Sadeep <[email protected]> wrote:
> I'm thinking of blocking bad IPs using PF tables persisted to a file. I
> would like to use a cron job to periodically analyze access logs and
> update the PF table. I'd like some advice on how best to set it up:
>
In my experience, updating PF tables from files works best when the files
contain only IP addresses.
But sometimes, for reasons, you may want to specify a DNS name instead
of an IP address. When that happens, keep in mind that pfctl will look up
the DNS names at the time the table is loaded, and put the resolved
address(es) into the table. This has two important implications:
1. If you don't refresh the table periodically, it may become stale as the
IP addresses present in the table may not match the addresses currently
associated with those DNS names.
2. A DNS lookup failure for any single name will cause the entire add
operation to fail. In other words, if you load a file with 100 DNS names
and 1 name has a lookup failure, then none of the file will get loaded.
It won't just skip the 1 bad name, it will skip the whole file. To avoid
this
problem you can write a script that reads the file and adds each entry
one at a time using separate pfctl -t {tablename} -T add {entry} commands.
-ken
