hostname in pf.conf

S

swa

Hello,

In pf.conf, with this entry everything is fine.
Code: 
serverip="1.1.1.1"
If I change IP in name.domain.tld pf rules fail to load at boot.
Code: 
serverip="name.domain.tld"

Probably pf rules are starting before DNS resolving is available, which is probably a good thing. Is there is a reliable solution for configuring FQDN's in pf.conf?

A workaround could be a cronjob like
Code: 
@reboot /bin/sleep 20 && /sbin/pfctl -f pf.conf
but this feels crappy and might not be reliable. Another one is keeping entrys in /etc/hosts but doesn't make sense since I still have to administer the IP adresses.
 
They are as long as they can be resolved trough the system resolver(3) at time of loading the rules. I have my hostnames in /etc/hosts so they are always resolvable. Swa's problem is that the rules are loaded before DNS resolvers are available and he uses names that are not in /etc/hosts.
 
Thanks for your answers.

CoTones said:
Are you sure FQDN's are supported in pf?
Click to expand...
Yes, I'm sure. If I manually (re)load pf rules everything is OK.

CoTones said:
Well then, after boot, run periodical script that resolves names to IPs and writes them to pf table file.
Click to expand...
That I would like to avoid. I want the rules to be applied at boot, not after boot with cronjobs or scripts.
 
Hello,

What exactly are you trying to achieve?

I can place typical example:

You are running DHCP and you have dyndns hostname and you would like to allow access to your FQDN to some ports from some hosts, in this case ruleset should look:

Code: 
ext_if="your_network_card"
pass in quick on $ext_if inet proto tcp from ip.ip.ip.ip to any port 80
 
Hi,

I was trying to simplify things to not having to update /etc/pf.conf or /etc/hosts but only DNS address of the FQDN whenever an IP changes. I have some pf rules with restrictions to IP only.

Example rules
Code: 
rdr pass on $ext_if proto tcp from $server1_ip to $server2_ip port $server2_port -> $jail_int_ip
rdr pass on $ext_if proto tcp from $smtpserver to ($ext_if) port $sqlport -> $mailserver

In the end it's not a big problem but rather annoying to find out that rules aren't loading after reboot when I change $server1_ip to server1.domain.tld.
 
And a workaround like loading first your rules with blocking everything, then by an own rc script loading the rest of the pf rules that require a working DNS?
 
You must log in or register to reply here.
Back
Top