Can I set pf to ignore invalid hosts?

[kjpetrie]

I have a FreeBSD server with a static IP address and a home PC with a dynamic IP address accessible through two dynamic DNS services for redundancy.

In /etc/pf.conf I have the line (line 35):

table <myhosts> { me.xxx.com, me.yyy.com }

to identify the dynamic DNS services. CRON flushes and reloads the rules to keep the address current.

I use this to ensure the server's SSH port is only visible from my home.

However, this morning I received several e-mails from CRON containing:

no IP address found for me.xxx.com
/etc/pf.conf:35: could not parse host specification
pfctl: Syntax error in config file: pf rules not loaded

Obviously, this is not what I'm trying to achieve by having two dynamic DNS services. I don't want to double the chance of failure; I want to reduce it through redundancy, so I need pfctl(8) to ignore any host in myhosts which is unavailable for some reason rather than to error out. How can I do this?

 

[DutchDaemon]

Use dig to harvest the IP addresses at regular intervals, and write them to a file (if the host actually resolves). Load that file from pf.conf into a table.

table <myhosts> persist file "/some/where/dynips.txt"

In pseudo code:

cp /dev/null /some/where/dynips.txt
for host in me.xxx.com me.yyy.com
do
if exist `dig +short $host`
then echo IP >> /some/where/dynips.txt
fi
done

pfctl -t myhost -Tr -f /some/where/dynips.txt

Some error handling should be done if neither host resolves, of course, but at least you won't fail inside pf.conf. PF is not graceful.

 

[kjpetrie]

Thanks. I'll look into that over the next few days to make sure I get it right and don't lock myself out!