From owner-freebsd-pf@freebsd.org Tue Jun 14 12:52:38 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4BFA7B68831 for ; Tue, 14 Jun 2016 12:52:38 +0000 (UTC) (envelope-from atar.yosef@gmail.com) Received: from mail-wm0-x232.google.com (mail-wm0-x232.google.com [IPv6:2a00:1450:400c:c09::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id DB5312E93 for ; Tue, 14 Jun 2016 12:52:37 +0000 (UTC) (envelope-from atar.yosef@gmail.com) Received: by mail-wm0-x232.google.com with SMTP id k204so121654533wmk.0 for ; Tue, 14 Jun 2016 05:52:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:from:message-id:date:to:content-transfer-encoding :mime-version; bh=lrBG/Y5INLGzzYeyceZXNP+8fHj++E+29HiXxrtF100=; b=V/g3gCmAu+NxgDZL+g6tnZLt0g8ibkM/DuohHavsUPQgK0pyrv92UrjJEwlaW8P/jk AojNBbpfdwCqrA1z1v9YqSutgcZzf/DRRTMaH+6BOlmCzPBQr7aPkvOnLK8jivpJqKAs gU4ub0YEQccmtXnXA2bG5RaGDm0YTGjNZ2/ywNdQqtjyny7H1YEW5NjyYwE5tE1cO86L D8Ysfx+/zCes7Q1mrvNvw/5+qMXAWF4jmi6XV6KkxOGQzNgb0bglhqdDyxkErVW6X+5i hOJfG1Z+pOU+xsijgiTK4Op2WQr0KS2Op9Cpbl2p5F+n6PByCu/wHz72edtQl3YF197D Jlug== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:from:message-id:date:to :content-transfer-encoding:mime-version; bh=lrBG/Y5INLGzzYeyceZXNP+8fHj++E+29HiXxrtF100=; b=ZAgPm7KItUPyX9qivxfUyWqlnGET4yuiPUwr3VR0REmypRZl28AvUYo6AC3u/NqZ2w 5J4UlbNg67EsLyt3smINxfC0+d08tSlZveduDzG4B/DimRbbygAfuo27XyGKqi1mjrnZ VscLNPgHTXeqfj+eiimddkZidzWjFd0Be1/nAmNZhjU6ZS+btc8y2IqCrgInM/2TpS81 gCPrZWrhxvaxIh+96xSDFpS5jSVZZZIcpuVzmdZ+wzXY1TP0w4t9+g0dyWx5z3QsEqB1 fLgS8vlCrCtGzm6CxdsfAMdvSxeF1hn/VJnDeuhIbftE4mrjwA2mP2sTgDL7d7R64Vq7 rb7Q== X-Gm-Message-State: ALyK8tIKQPnI8+z+6baXR0C6X16oNLdwRKqxQcmzV7MVhGL7mRhDjGWhTdMcF5CIA+76kA== X-Received: by 10.194.239.163 with SMTP id vt3mr6032627wjc.78.1465908756347; Tue, 14 Jun 2016 05:52:36 -0700 (PDT) Received: from [192.168.20.5] ([212.29.194.245]) by smtp.gmail.com with ESMTPSA id y6sm4021896wmy.8.2016.06.14.05.52.35 for (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 14 Jun 2016 05:52:35 -0700 (PDT) Subject: Filter connections based on the hostname. From: atar X-Mailer: iPod Mail (10B500) Message-Id: <5858A82C-FB66-4D67-A676-47EABED976CE@gmail.com> Date: Tue, 14 Jun 2016 15:52:32 +0300 To: "freebsd-pf@freebsd.org" Mime-Version: 1.0 (1.0) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.22 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jun 2016 12:52:38 -0000 Hi there, In the pf.conf man page, it is stated that it's possible to write inside a r= ule a hostname instead of an IP address and the resolver will take care of c= onverting the hostname into its IP address when the pf process loads its con= figuration file. The problem arises when a particular hostname have many ip addresses like in= the case of "google.com", "gmail.com" etc, and the ip address that "google.= com" - for instance - is now (at the time that the user navigate his Interne= t browser to "google.com") resolved to isn't in the list of the ip addresses= that the resolver has putted in the rule when the pf configuration file has= been loaded. Now assuming that I have created a rule that is looked something like this: 'block from any to "google.con"' The hostname "google.com" isn't blocked since its current ip differs from it= s previous ip when pf has loaded the rule, what can I do in order to be able= to block such sites (with many ip addresses)? Regards,=20 Atar.=