What do the client systems run?
if they are on windows 2000/2003 Domain, use a GPO and block them as
untrusted.
Just a thought because what you want is done above PF
James
----- Original Message -----
From: "tony sarendal" <[EMAIL PROTECTED]>
To: "misc" <misc@openbsd.org>
Sent: Friday, April 21, 2006 7:46 AM
Subject: Re: pf blocking nets in a way like *.google.com ?
On 21/04/06, Moritz Grimm <[EMAIL PROTECTED]> wrote:
Lars Hansson wrote:
>>Why isn't it feasible to use Googles allocated netblock
>>(216.239.32.0/19
)?
>
> Because there's nothing that says that every *.google.com site has to
> be
> within a block allocated to Google.
Duh. The obvious solution is to have pf make a DNS lookup on each and
every packet that arrives.
Good stuff, disarm the subject with humour.
/Tony
