From owner-freebsd-questions  Mon Feb  5 15:47:52 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from dan.emsphone.com (dan.emsphone.com [199.67.51.101])
	by hub.freebsd.org (Postfix) with ESMTP id B119D37B6A2
	for <freebsd-questions@FreeBSD.ORG>; Mon,  5 Feb 2001 15:47:34 -0800 (PST)
Received: (from dan@localhost)
	by dan.emsphone.com (8.11.1/8.11.1) id f15NlTL12543;
	Mon, 5 Feb 2001 17:47:29 -0600 (CST)
	(envelope-from dan)
Date: Mon, 5 Feb 2001 17:47:29 -0600
From: Dan Nelson <dnelson@emsphone.com>
To: "reel@sympatico.ca" <reel@idemnia.ath.cx>
Cc: Ryan Masse <rmasse@mastery.ca>,
	FreeBSD-Questions <freebsd-questions@FreeBSD.ORG>
Subject: Re: ipfw rules
Message-ID: <20010205174729.A5698@dan.emsphone.com>
References: <20010205171646.B9781@dan.emsphone.com> <Pine.BSF.4.31.0102051825060.59106-100000@idemnia.ath.cx>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.3.14i
In-Reply-To: <Pine.BSF.4.31.0102051825060.59106-100000@idemnia.ath.cx>; from "reel@sympatico.ca" on Mon Feb  5 18:25:56 GMT 2001
X-OS: FreeBSD 5.0-CURRENT
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

In the last episode (Feb 05), reel@sympatico.ca said:
> On Mon, 5 Feb 2001, Dan Nelson wrote:
> > In the last episode (Feb 05), Ryan Masse said:
> > > Is it possible to include wildcard characters with an ipfw rule?
> > >
> > > ipfw add allow all from 192.* to any 80
> >
> > ipfw add allow all from 192.0.0.0/8 to any 80
> >
> > > or even ipfw deny all from *.ru ro any etc
> >
> > That would require a DNS lookup.
> 
> But, would that works with like, *.my? With the DNS lookup?
> 
> If so, how can i do that?

You would have to use divert sockets to send the packets to a userland
program.  The program would have to do a couple things:

- keep a cache of unresolveable IP numbers
- keep a cache of ip number -> domainname entries
- keep a list of pending DNS lookups

As a packet comes in, it would first check against the unresolveable
list.  If it hits, deny the packet.  Then check the IP->domain mapping
table.  If it's in the table and matches "*.my", allow the packet.  If
it's in the table and doesn't match, deny the packet.  If it's not in
the table, send an async DNS request and drop the packet.

As DNS replies come in, add them to the ip->domain table, or the
unresolveable table if the IP doens't resolve or if there is no answer
after 30 seconds (dns server possibly down).

-- 
	Dan Nelson
	dnelson@emsphone.com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message