If you really must have it, define a table in /etc/pf.conf like so:
table <i_hate_you> persist (dig|nslookup|host|whatever) | (cut|awk|whatever) | xargs pfctl -ti_hate_you -Ta Eh, not reallyJust it would be elegant to use pf
I don't use pf so I can't test this idea, but it might be worth a try to add your subnetwork to /etc/networks. This is assuming that your hostname resolution order is hosts first, dns second, which I'm pretty sure is the default. Just add the lineHi there,
I think it's impossible to do but sometimes maybe it's just that I can't see a way to do it
The subject is that I would like to put rules based on domain or sub-domain.
So, not :
pass in from 111.111.0.0/16
but more like :
pass in from somenet.org
So, not possible ?
somenet.org 111.111 under the /etc/networks entry for subnet2. If it doesn't work you can easily remove the line later.Yes but it will not do that each time a packet want to get in but only once.(dig|nslookup|host|whatever) | (cut|awk|whatever) | xargs pfctl -ti_hate_you -Ta
If you happen to know the address of the domain/network in question in advance, it's a bit pointless to use it's name instead, is it not? And a macro definition inside /etc/pf.conf would accomplish the same, while being more elegant.
Well that assume all network address of 111.111 are the same domain. Wich may be wrong. 111.111.1.12 should be srv1.somenet.org and 111.111.1.13 srv2.myothernet.org. Assuming I have more than one domain.
I cant know the address in advance or it would be trivial to enter rules based on network and/or ip lists.
Er, what?! Why would it? Once the address(es) is/are in the table, they stay there and get applied each time a rule references that table. The table just doesn't persist between boots, so after restarting the system you need to fill the table again.
That's also not a problem if you use a table, as it can contain any mix of single addresses, network blocks and even IPv4 and IPv6 addresses,
You are mixing up entirely different concepts here. Blocking by country can be done with a map that knows what IP blocks have been issued within which countries, like geoip. A domain name is nothing like that. You can register a domain name, put up one server say aaa.my.domain in malaysia, a second one bbb.my.domain in tokyo and a third one ccc.my.domain in paris. All three servers could use IP addresses from entirely different IP blocks, issued by different providers and yet all those server IPs belong to the my.domain domain. So how do you want to find out which IP addresses are part of the my.domain domain? Probably the only way would be to recursively list the DNS records of my.domain, and to my knowledge most if not all DNS servers do not allow that. I guess the closest thing you will get is to ask whois about an address you know belongs to whoever you're trying to block and block the entire CIDR block that whois returns. But even then, it's just one network block. Who says the party you're trying to lock out doesn't have others?
HEY, that's it !
host -l -a somedomain.org dns.somedomain.org | awk '$4=="A" {print $5}' host -l -a google.com ns1.google.com | awk '$4=="A" {print $5}'
That means the maintainer of that DNS domain is an idiot. This is a major security leak and any DNS maintainer worth his/her salt would have made this impossible.
Well, that dont means anybody from anywhere can request the DNS like this. I'll check it soon.
Hi there,
I think it's impossible to do but sometimes maybe it's just that I can't see a way to do it
The subject is that I would like to put rules based on domain or sub-domain.
So, not :
pass in from 111.111.0.0/16
but more like :
pass in from somenet.org
So, not possible ?
table <myTable> persist file "/location/myfile.txt"
pass in quick from <myTable> myfile.txt, line separated. When you reload the PF, it will do simple dns query to resolve the host/domain into IP address and automatically add resulting IP into the table. But if the resolve process fail, pf will not reload.