Date: Mon, 5 Feb 2001 17:47:29 -0600 From: Dan Nelson <dnelson@emsphone.com> To: "reel@sympatico.ca" <reel@idemnia.ath.cx> Cc: Ryan Masse <rmasse@mastery.ca>, FreeBSD-Questions <freebsd-questions@FreeBSD.ORG> Subject: Re: ipfw rules Message-ID: <20010205174729.A5698@dan.emsphone.com> In-Reply-To: <Pine.BSF.4.31.0102051825060.59106-100000@idemnia.ath.cx>; from "reel@sympatico.ca" on Mon Feb 5 18:25:56 GMT 2001 References: <20010205171646.B9781@dan.emsphone.com> <Pine.BSF.4.31.0102051825060.59106-100000@idemnia.ath.cx>
next in thread | previous in thread | raw e-mail | index | archive | help
In the last episode (Feb 05), reel@sympatico.ca said: > On Mon, 5 Feb 2001, Dan Nelson wrote: > > In the last episode (Feb 05), Ryan Masse said: > > > Is it possible to include wildcard characters with an ipfw rule? > > > > > > ipfw add allow all from 192.* to any 80 > > > > ipfw add allow all from 192.0.0.0/8 to any 80 > > > > > or even ipfw deny all from *.ru ro any etc > > > > That would require a DNS lookup. > > But, would that works with like, *.my? With the DNS lookup? > > If so, how can i do that? You would have to use divert sockets to send the packets to a userland program. The program would have to do a couple things: - keep a cache of unresolveable IP numbers - keep a cache of ip number -> domainname entries - keep a list of pending DNS lookups As a packet comes in, it would first check against the unresolveable list. If it hits, deny the packet. Then check the IP->domain mapping table. If it's in the table and matches "*.my", allow the packet. If it's in the table and doesn't match, deny the packet. If it's not in the table, send an async DNS request and drop the packet. As DNS replies come in, add them to the ip->domain table, or the unresolveable table if the IP doens't resolve or if there is no answer after 30 seconds (dns server possibly down). -- Dan Nelson dnelson@emsphone.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010205174729.A5698>