Date: Tue, 14 Jun 2016 15:52:32 +0300 From: atar <atar.yosef@gmail.com> To: "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org> Subject: Filter connections based on the hostname. Message-ID: <5858A82C-FB66-4D67-A676-47EABED976CE@gmail.com>
next in thread | raw e-mail | index | archive | help
Hi there, In the pf.conf man page, it is stated that it's possible to write inside a r= ule a hostname instead of an IP address and the resolver will take care of c= onverting the hostname into its IP address when the pf process loads its con= figuration file. The problem arises when a particular hostname have many ip addresses like in= the case of "google.com", "gmail.com" etc, and the ip address that "google.= com" - for instance - is now (at the time that the user navigate his Interne= t browser to "google.com") resolved to isn't in the list of the ip addresses= that the resolver has putted in the rule when the pf configuration file has= been loaded. Now assuming that I have created a rule that is looked something like this: 'block from any to "google.con"' The hostname "google.com" isn't blocked since its current ip differs from it= s previous ip when pf has loaded the rule, what can I do in order to be able= to block such sites (with many ip addresses)? Regards,=20 Atar.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5858A82C-FB66-4D67-A676-47EABED976CE>