PF Problem with PF packet filter tables

G

getopt

When specifying addresses in PF tables, IP addresses as well as hostnames may be used. The problem is that a hostname may not be resolved when PF is started. When this happens the following line can be found in /var/log/console.log:
Code: 
 console.log:Nov 14 16:37:24 mybox kernel: no IP address found for xxxxxx.xxx
When this happens PF is started without any rules, leaving the host unprotected. This is by no means what is expected. So the number of hostnames in tables increases the risk that the firewall might end up in status no use.

If this is no bug, what would be good practice to work around this behavior?
 
The usual answer is: use a table to store the IP address of the hostname (PF will start fine with an empty table) and use a cron job that populates the table with the IP address of that hostname. So the lookup happens outside of PF, and the result is put into a table with pfctl -t tablename -Ta $ip. If there are multiple IPs associated with the hostname, use some scripting tricks to add all of them, and/or use the proper pfctl(8) syntax to flush (<- hint) out obsolete values.

If the hostname has a (sufficiently) static IP, just use that.
 
The name resolution at the time of the rule compilation does use /etc/hosts (assuming it's used in /etc/nsswitch.conf which is the default setting) so you can put the names there.
 
You must log in or register to reply here.
Back
Top