From owner-freebsd-pf@freebsd.org Tue Jun 14 12:52:38 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4BFA7B68831 for ; Tue, 14 Jun 2016 12:52:38 +0000 (UTC) (envelope-from atar.yosef@gmail.com) Received: from mail-wm0-x232.google.com (mail-wm0-x232.google.com [IPv6:2a00:1450:400c:c09::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id DB5312E93 for ; Tue, 14 Jun 2016 12:52:37 +0000 (UTC) (envelope-from atar.yosef@gmail.com) Received: by mail-wm0-x232.google.com with SMTP id k204so121654533wmk.0 for ; Tue, 14 Jun 2016 05:52:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:from:message-id:date:to:content-transfer-encoding :mime-version; bh=lrBG/Y5INLGzzYeyceZXNP+8fHj++E+29HiXxrtF100=; b=V/g3gCmAu+NxgDZL+g6tnZLt0g8ibkM/DuohHavsUPQgK0pyrv92UrjJEwlaW8P/jk AojNBbpfdwCqrA1z1v9YqSutgcZzf/DRRTMaH+6BOlmCzPBQr7aPkvOnLK8jivpJqKAs gU4ub0YEQccmtXnXA2bG5RaGDm0YTGjNZ2/ywNdQqtjyny7H1YEW5NjyYwE5tE1cO86L D8Ysfx+/zCes7Q1mrvNvw/5+qMXAWF4jmi6XV6KkxOGQzNgb0bglhqdDyxkErVW6X+5i hOJfG1Z+pOU+xsijgiTK4Op2WQr0KS2Op9Cpbl2p5F+n6PByCu/wHz72edtQl3YF197D Jlug== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:from:message-id:date:to :content-transfer-encoding:mime-version; bh=lrBG/Y5INLGzzYeyceZXNP+8fHj++E+29HiXxrtF100=; b=ZAgPm7KItUPyX9qivxfUyWqlnGET4yuiPUwr3VR0REmypRZl28AvUYo6AC3u/NqZ2w 5J4UlbNg67EsLyt3smINxfC0+d08tSlZveduDzG4B/DimRbbygAfuo27XyGKqi1mjrnZ VscLNPgHTXeqfj+eiimddkZidzWjFd0Be1/nAmNZhjU6ZS+btc8y2IqCrgInM/2TpS81 gCPrZWrhxvaxIh+96xSDFpS5jSVZZZIcpuVzmdZ+wzXY1TP0w4t9+g0dyWx5z3QsEqB1 fLgS8vlCrCtGzm6CxdsfAMdvSxeF1hn/VJnDeuhIbftE4mrjwA2mP2sTgDL7d7R64Vq7 rb7Q== X-Gm-Message-State: ALyK8tIKQPnI8+z+6baXR0C6X16oNLdwRKqxQcmzV7MVhGL7mRhDjGWhTdMcF5CIA+76kA== X-Received: by 10.194.239.163 with SMTP id vt3mr6032627wjc.78.1465908756347; Tue, 14 Jun 2016 05:52:36 -0700 (PDT) Received: from [192.168.20.5] ([212.29.194.245]) by smtp.gmail.com with ESMTPSA id y6sm4021896wmy.8.2016.06.14.05.52.35 for (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 14 Jun 2016 05:52:35 -0700 (PDT) Subject: Filter connections based on the hostname. From: atar X-Mailer: iPod Mail (10B500) Message-Id: <5858A82C-FB66-4D67-A676-47EABED976CE@gmail.com> Date: Tue, 14 Jun 2016 15:52:32 +0300 To: "freebsd-pf@freebsd.org" Mime-Version: 1.0 (1.0) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.22 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jun 2016 12:52:38 -0000 Hi there, In the pf.conf man page, it is stated that it's possible to write inside a r= ule a hostname instead of an IP address and the resolver will take care of c= onverting the hostname into its IP address when the pf process loads its con= figuration file. The problem arises when a particular hostname have many ip addresses like in= the case of "google.com", "gmail.com" etc, and the ip address that "google.= com" - for instance - is now (at the time that the user navigate his Interne= t browser to "google.com") resolved to isn't in the list of the ip addresses= that the resolver has putted in the rule when the pf configuration file has= been loaded. Now assuming that I have created a rule that is looked something like this: 'block from any to "google.con"' The hostname "google.com" isn't blocked since its current ip differs from it= s previous ip when pf has loaded the rule, what can I do in order to be able= to block such sites (with many ip addresses)? Regards,=20 Atar.= From owner-freebsd-pf@freebsd.org Tue Jun 14 13:20:16 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CB026B68D40 for ; Tue, 14 Jun 2016 13:20:16 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9030D2C4B for ; Tue, 14 Jun 2016 13:20:15 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 8E2202843A; Tue, 14 Jun 2016 15:20:07 +0200 (CEST) Received: from illbsd.quip.test (ip-86-49-16-209.net.upcbroadband.cz [86.49.16.209]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id E143428412; Tue, 14 Jun 2016 15:20:01 +0200 (CEST) Message-ID: <57600481.6080204@quip.cz> Date: Tue, 14 Jun 2016 15:20:01 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:35.0) Gecko/20100101 Firefox/35.0 SeaMonkey/2.32 MIME-Version: 1.0 To: atar , "freebsd-pf@freebsd.org" Subject: Re: Filter connections based on the hostname. References: <5858A82C-FB66-4D67-A676-47EABED976CE@gmail.com> In-Reply-To: <5858A82C-FB66-4D67-A676-47EABED976CE@gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jun 2016 13:20:16 -0000 atar wrote on 06/14/2016 14:52: > Hi there, > > In the pf.conf man page, it is stated that it's possible to write inside a rule a hostname instead of an IP address and the resolver will take care of converting the hostname into its IP address when the pf process loads its configuration file. > > The problem arises when a particular hostname have many ip addresses like in the case of "google.com", "gmail.com" etc, and the ip address that "google.com" - for instance - is now (at the time that the user navigate his Internet browser to "google.com") resolved to isn't in the list of the ip addresses that the resolver has putted in the rule when the pf configuration file has been loaded. > > Now assuming that I have created a rule that is looked something like this: > > 'block from any to "google.con"' > > The hostname "google.com" isn't blocked since its current ip differs from its previous ip when pf has loaded the rule, what can I do in order to be able to block such sites (with many ip addresses)? I would use tables and populate them periodically from shell script which can do FQDN to many IPs resolution. It can be simple as this host yahoo.com | awk '$0 ~ /has address/ { print $4 }' > /var/run/pf.yahoo_table pfctl -t yahoo_table -T replace -f /var/run/pf.yahoo.table I am sure you will find better solution :) Miroslav Lachman From owner-freebsd-pf@freebsd.org Tue Jun 14 14:05:24 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CCA2FAF28F4 for ; Tue, 14 Jun 2016 14:05:24 +0000 (UTC) (envelope-from atar.yosef@gmail.com) Received: from mail-wm0-x22d.google.com (mail-wm0-x22d.google.com [IPv6:2a00:1450:400c:c09::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 6C8EF20EA for ; Tue, 14 Jun 2016 14:05:24 +0000 (UTC) (envelope-from atar.yosef@gmail.com) Received: by mail-wm0-x22d.google.com with SMTP id k204so124743275wmk.0 for ; Tue, 14 Jun 2016 07:05:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:references:from:in-reply-to:message-id:date:to :content-transfer-encoding:mime-version; bh=tDV2UxUAc5KuHTradXC6mP9BHanPCPHVKSl4BzJ/0qU=; b=tcDIXtlbx3eToU8iI9tLOi0yyVeZ82uKUNHK6RHRsAIm3KzIeqy+4pxO4PPsZOijKt 1Zryr6ov1FLMYsjcbyv1m7p+aVj0RIwB4kOP2SSeKeC+FAdQHB3U1KcpeUTjJjWJ9cUz /c8/7L/MgB+V3ReDK2VhylM+cM0gRpKIgr4PlwRfnjEsm3Piod0bsAlRg0ayrde/EvFe VQw23jkoHgqQDZl0SnK2oJJlX7IQQNlJSUPiaZj7Jd2j1Vv7I4kqr1PAgVbVq+5njKu/ +ns5nBW/iywqQXkeV+/V76Gn3vesoaAjqgvkd1hhOooR+csg09BDjBeFgTOmR0AmX/mG bLyg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:references:from:in-reply-to:message-id :date:to:content-transfer-encoding:mime-version; bh=tDV2UxUAc5KuHTradXC6mP9BHanPCPHVKSl4BzJ/0qU=; b=aDXWbNIOpzrTIx0fY4ESPalSlqCB37z8RWzOFZyOMt6b7jm85IPYB5iO57snGo7/Sh EMEQAzUrrDlB31l+DBpGDjim0da+YTm9vndr716KB540DULV4Zzv4X0oUMg1LDLwwUpW TfGVVfPDSacU56W174oqBUHj2E2ZZ5Y6ClnmJ6VyqeU3sX5za4RROZKazN8rE/F9hVQh JxvpvJQhoapCU8bOFR7DQCQsVI22OT/2Yqox2WykpNEEKGE0ipiM7vm04mpscsd1RpCU J6g24prBXTyzoo8WkWAxEoLWG0DbSuz8ib7DpevBLceyca3eNhroe/9jmi3/NrLHTgNY EeYw== X-Gm-Message-State: ALyK8tKy3hTlp84Ewly3RcL6BetaoWikMIP+BYIXseVqtxfC8GUUMmVELKhBqzuoa7OiEg== X-Received: by 10.28.63.136 with SMTP id m130mr4888684wma.33.1465913122680; Tue, 14 Jun 2016 07:05:22 -0700 (PDT) Received: from [192.168.20.5] ([212.29.194.245]) by smtp.gmail.com with ESMTPSA id b200sm4332892wmb.9.2016.06.14.07.05.22 for (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 14 Jun 2016 07:05:22 -0700 (PDT) Subject: Re: Filter connections based on the hostname. References: <5858A82C-FB66-4D67-A676-47EABED976CE@gmail.com> <57600481.6080204@quip.cz> From: atar Content-Type: text/plain; charset=us-ascii X-Mailer: iPod Mail (10B500) In-Reply-To: <57600481.6080204@quip.cz> Message-Id: <08195C33-DC97-4ADD-9C0A-D9493E2C29F7@gmail.com> Date: Tue, 14 Jun 2016 17:05:17 +0300 To: freebsd-pf@freebsd.org Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (1.0) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jun 2016 14:05:24 -0000 > atar wrote on 06/14/2016 14:52: >> Hi there, >>=20 >> In the pf.conf man page, it is stated that it's possible to write inside a= rule a hostname instead of an IP address and the resolver will take care of= converting the hostname into its IP address when the pf process loads its c= onfiguration file. >>=20 >> The problem arises when a particular hostname have many ip addresses like= in the case of "google.com", "gmail.com" etc, and the ip address that "goog= le.com" - for instance - is now (at the time that the user navigate his Inte= rnet browser to "google.com") resolved to isn't in the list of the ip addres= ses that the resolver has putted in the rule when the pf configuration file h= as been loaded. >>=20 >> Now assuming that I have created a rule that is looked something like thi= s: >>=20 >> 'block from any to "google.con"' >>=20 >> The hostname "google.com" isn't blocked since its current ip differs from= its previous ip when pf has loaded the rule, what can I do in order to be a= ble to block such sites (with many ip addresses)? >=20 > I would use tables and populate them periodically from shell script which c= an do FQDN to many IPs resolution. >=20 > It can be simple as this >=20 > host yahoo.com | awk '$0 ~ /has address/ { print $4 }' > /var/run/pf.yahoo= _table > pfctl -t yahoo_table -T replace -f /var/run/pf.yahoo.table >=20 > I am sure you will find better solution :) >=20 > Miroslav Lachman Thanks for your answer, it is an interested idea. However, is this method of update periodically the pf tables not disturb or b= urden the performance of the pf filter engine especially if the script that u= pdate the tables runs too often?= From owner-freebsd-pf@freebsd.org Tue Jun 14 16:16:49 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 185B1B6A611 for ; Tue, 14 Jun 2016 16:16:49 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D22762E72 for ; Tue, 14 Jun 2016 16:16:48 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 98ED328416; Tue, 14 Jun 2016 18:16:45 +0200 (CEST) Received: from illbsd.quip.test (ip-86-49-16-209.net.upcbroadband.cz [86.49.16.209]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id D06B828439; Tue, 14 Jun 2016 18:16:44 +0200 (CEST) Message-ID: <57602DEC.6080201@quip.cz> Date: Tue, 14 Jun 2016 18:16:44 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:35.0) Gecko/20100101 Firefox/35.0 SeaMonkey/2.32 MIME-Version: 1.0 To: atar , freebsd-pf@freebsd.org Subject: Re: Filter connections based on the hostname. References: <5858A82C-FB66-4D67-A676-47EABED976CE@gmail.com> <57600481.6080204@quip.cz> <08195C33-DC97-4ADD-9C0A-D9493E2C29F7@gmail.com> In-Reply-To: <08195C33-DC97-4ADD-9C0A-D9493E2C29F7@gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jun 2016 16:16:49 -0000 atar wrote on 06/14/2016 16:05: >> atar wrote on 06/14/2016 14:52: [...] >>> The hostname "google.com" isn't blocked since its current ip differs from its previous ip when pf has loaded the rule, what can I do in order to be able to block such sites (with many ip addresses)? >> >> I would use tables and populate them periodically from shell script which can do FQDN to many IPs resolution. >> >> It can be simple as this >> >> host yahoo.com | awk '$0 ~ /has address/ { print $4 }' > /var/run/pf.yahoo_table >> pfctl -t yahoo_table -T replace -f /var/run/pf.yahoo.table >> >> I am sure you will find better solution :) >> >> Miroslav Lachman > Thanks for your answer, it is an interested idea. > > However, is this method of update periodically the pf tables not disturb or burden the performance of the pf filter engine especially if the script that update the tables runs too often? How often is "too often"? I think that updating the tables every 5 minutes is enough (no one uses shorter TTL for DNS entries) The nicest thing on PF tables is you don't need to reload PF and tables can live in memory (not need for persistent file on filesystem) so all operations are really quick. Our PF firewalls are using tables with thousands of entries without any issues. I don't see any trouble even if you will update tables each minute. Miroslav Lachman From owner-freebsd-pf@freebsd.org Tue Jun 14 18:30:14 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2C276AF25E9 for ; Tue, 14 Jun 2016 18:30:14 +0000 (UTC) (envelope-from atar.yosef@gmail.com) Received: from mail-wm0-x234.google.com (mail-wm0-x234.google.com [IPv6:2a00:1450:400c:c09::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B65C92A7C for ; Tue, 14 Jun 2016 18:30:13 +0000 (UTC) (envelope-from atar.yosef@gmail.com) Received: by mail-wm0-x234.google.com with SMTP id v199so133089485wmv.0 for ; Tue, 14 Jun 2016 11:30:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-transfer-encoding:subject:references:from:in-reply-to :message-id:date:cc:to:mime-version; bh=rwASRItxAxnZ3dLSTUyOTz3a8XldLL+E27yECQqre88=; b=Ylj8vDRORwiZ4fkwss2lPcU3VZNtHomBOl6e1U0YbNcu+r8Q/EuruRQMUAM2DQwUUo wtmyAIr2kbcTMBcEiKXBnulJ9gnoog/tjRsd8rfT9KZ48woTcOJPEuzFJu63imF2C+eo 1hk2CI4wuRZxCxUoFTqkCDrEv6o2OTc4BOlhAx7zGU5BlDxIkuE06oTtM191ZKUz2lV3 5UAlgY3mj/78nVBAFscoN95LxarJ7fcBtYaEKyM4oh4nxjzeZqsGltbtr5Wemvl+mm+Y 1Jpa7pm29uC3zRELebpVtsXJYIdDagsTNOnVNMWCtD/6LwYLKNfe/irvVGyoEejE0Io2 eK7g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-transfer-encoding:subject:references :from:in-reply-to:message-id:date:cc:to:mime-version; bh=rwASRItxAxnZ3dLSTUyOTz3a8XldLL+E27yECQqre88=; b=c28DUWtx/3qaufvnpqjXGawk1v3wG2fNOBivcVBYqlTJckmz/QDrytWC+CzQyM2EvY bofEL5ZxMlxQKQLYlVRowP47ioYyIIXRJjbogB94BPI3tn9/2ZRpQIqyce4Y03+ivQjn pX/TpOWQW688u6cOmQVT46g/iu4fq/UEXP3lel+y1NarhOmSKLHie9BqAu4zQuWvTSpy uDRiJwaQGNrl2Zn4FWMBz82lqO0qvjNbfrEJRiGfTHeR2i13KpUre/x/+jQRAA1TGIt8 JgupwL1CD3AHY0aMBDARUhubrEBV/ahurr1DhP/7U/A1XMWrbsHnh6J1LxrVfcM3h1i2 rh8A== X-Gm-Message-State: ALyK8tKg9+wGeYkoCoHRILxCF0JvGFs2+19qPvmycEh7xdO2224Qy2I4lNAbGhz9+Ld98A== X-Received: by 10.28.147.19 with SMTP id v19mr6022295wmd.13.1465929011197; Tue, 14 Jun 2016 11:30:11 -0700 (PDT) Received: from [192.168.1.6] ([46.19.85.235]) by smtp.gmail.com with ESMTPSA id w188sm5403628wmw.11.2016.06.14.11.30.10 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 14 Jun 2016 11:30:10 -0700 (PDT) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Subject: Re: Filter connections based on the hostname. References: <5858A82C-FB66-4D67-A676-47EABED976CE@gmail.com> <57600481.6080204@quip.cz> <08195C33-DC97-4ADD-9C0A-D9493E2C29F7@gmail.com> <57602DEC.6080201@quip.cz> From: atar In-Reply-To: <57602DEC.6080201@quip.cz> Message-Id: <969F8F1C-E992-4F47-89F9-759FD8CE2B91@gmail.com> Date: Tue, 14 Jun 2016 21:29:33 +0300 Cc: "freebsd-pf@freebsd.org" To: Miroslav Lachman <000.fbsd@quip.cz> Mime-Version: 1.0 (1.0) X-Mailer: iPod Mail (10B500) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jun 2016 18:30:14 -0000 > atar wrote on 06/14/2016 16:05: >>> atar wrote on 06/14/2016 14:52: >=20 > [...] >=20 >>>> The hostname "google.com" isn't blocked since its current ip differs fr= om its previous ip when pf has loaded the rule, what can I do in order to be= able to block such sites (with many ip addresses)? >>>=20 >>> I would use tables and populate them periodically from shell script whic= h can do FQDN to many IPs resolution. >>>=20 >>> It can be simple as this >>>=20 >>> host yahoo.com | awk '$0 ~ /has address/ { print $4 }' > /var/run/pf.yah= oo_table >>> pfctl -t yahoo_table -T replace -f /var/run/pf.yahoo.table >>>=20 >>> I am sure you will find better solution :) >>>=20 >>> Miroslav Lachman >> Thanks for your answer, it is an interested idea. >>=20 >> However, is this method of update periodically the pf tables not disturb o= r burden the performance of the pf filter engine especially if the script th= at update the tables runs too often? >=20 >=20 > How often is "too often"? > I think that updating the tables every 5 minutes is enough (no one uses sh= orter TTL for DNS entries) > The nicest thing on PF tables is you don't need to reload PF and tables ca= n live in memory (not need for persistent file on filesystem) so all operati= ons are really quick. > Our PF firewalls are using tables with thousands of entries without any is= sues. > I don't see any trouble even if you will update tables each minute. >=20 > Miroslav Lachman Thanks again for replying. I don't know why, but even refresh rate of one minute isn't enough for the d= omains google.com or gmail.com. Even immediately after I load the table which has the rule to block the abov= e mentioned domains I am still able to access those domains. Sometimes it is= indeed blocked for a half of a minute but finally the chromium browser succ= eed to load them. Do you have any idea? Regards, Atar.= From owner-freebsd-pf@freebsd.org Tue Jun 14 19:06:27 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A922CAF2F2C for ; Tue, 14 Jun 2016 19:06:27 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5B95B2D78 for ; Tue, 14 Jun 2016 19:06:26 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 382EB28451; Tue, 14 Jun 2016 21:06:23 +0200 (CEST) Received: from illbsd.quip.test (ip-86-49-16-209.net.upcbroadband.cz [86.49.16.209]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 1980428452; Tue, 14 Jun 2016 21:06:21 +0200 (CEST) Message-ID: <576055AC.9020605@quip.cz> Date: Tue, 14 Jun 2016 21:06:20 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:35.0) Gecko/20100101 Firefox/35.0 SeaMonkey/2.32 MIME-Version: 1.0 To: atar CC: "freebsd-pf@freebsd.org" Subject: Re: Filter connections based on the hostname. References: <5858A82C-FB66-4D67-A676-47EABED976CE@gmail.com> <57600481.6080204@quip.cz> <08195C33-DC97-4ADD-9C0A-D9493E2C29F7@gmail.com> <57602DEC.6080201@quip.cz> <969F8F1C-E992-4F47-89F9-759FD8CE2B91@gmail.com> In-Reply-To: <969F8F1C-E992-4F47-89F9-759FD8CE2B91@gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jun 2016 19:06:27 -0000 atar wrote on 06/14/2016 20:29: >> atar wrote on 06/14/2016 16:05: >>>> atar wrote on 06/14/2016 14:52: >> >> [...] >> >>>>> The hostname "google.com" isn't blocked since its current ip differs from its previous ip when pf has loaded the rule, what can I do in order to be able to block such sites (with many ip addresses)? >>>> >>>> I would use tables and populate them periodically from shell script which can do FQDN to many IPs resolution. >>>> >>>> It can be simple as this >>>> >>>> host yahoo.com | awk '$0 ~ /has address/ { print $4 }' > /var/run/pf.yahoo_table >>>> pfctl -t yahoo_table -T replace -f /var/run/pf.yahoo.table >>>> >>>> I am sure you will find better solution :) >>>> >>>> Miroslav Lachman >>> Thanks for your answer, it is an interested idea. >>> >>> However, is this method of update periodically the pf tables not disturb or burden the performance of the pf filter engine especially if the script that update the tables runs too often? >> >> >> How often is "too often"? >> I think that updating the tables every 5 minutes is enough (no one uses shorter TTL for DNS entries) >> The nicest thing on PF tables is you don't need to reload PF and tables can live in memory (not need for persistent file on filesystem) so all operations are really quick. >> Our PF firewalls are using tables with thousands of entries without any issues. >> I don't see any trouble even if you will update tables each minute. >> >> Miroslav Lachman > > Thanks again for replying. > > I don't know why, but even refresh rate of one minute isn't enough for the domains google.com or gmail.com. > > Even immediately after I load the table which has the rule to block the above mentioned domains I am still able to access those domains. Sometimes it is indeed blocked for a half of a minute but finally the chromium browser succeed to load them. > > Do you have any idea? I am not sure but it can have something with keep-state. If you have PF disabled, then start it, populate table and then make first connection attempt (there should be no states), are you still able to connect for a half minute? You can check tables by: pfctl -vv -s Tables and check states by: pfctl -vv -s state Miroslav Lachman From owner-freebsd-pf@freebsd.org Tue Jun 14 20:22:46 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 36F18B72FCA for ; Tue, 14 Jun 2016 20:22:46 +0000 (UTC) (envelope-from gpalmer@freebsd.org) Received: from mail.in-addr.com (mail.in-addr.com [IPv6:2a01:4f8:191:61e8::2525:2525]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0215D2695 for ; Tue, 14 Jun 2016 20:22:46 +0000 (UTC) (envelope-from gpalmer@freebsd.org) Received: from gjp by mail.in-addr.com with local (Exim 4.87 (FreeBSD)) (envelope-from ) id 1bCurD-0001um-OY; Tue, 14 Jun 2016 21:22:43 +0100 Date: Tue, 14 Jun 2016 21:22:43 +0100 From: Gary Palmer To: atar Cc: Miroslav Lachman <000.fbsd@quip.cz>, "freebsd-pf@freebsd.org" Subject: Re: Filter connections based on the hostname. Message-ID: <20160614202243.GA81528@in-addr.com> References: <5858A82C-FB66-4D67-A676-47EABED976CE@gmail.com> <57600481.6080204@quip.cz> <08195C33-DC97-4ADD-9C0A-D9493E2C29F7@gmail.com> <57602DEC.6080201@quip.cz> <969F8F1C-E992-4F47-89F9-759FD8CE2B91@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <969F8F1C-E992-4F47-89F9-759FD8CE2B91@gmail.com> X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: gpalmer@freebsd.org X-SA-Exim-Scanned: No (on mail.in-addr.com); SAEximRunCond expanded to false X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jun 2016 20:22:46 -0000 On Tue, Jun 14, 2016 at 09:29:33PM +0300, atar wrote: > > atar wrote on 06/14/2016 16:05: > >>> atar wrote on 06/14/2016 14:52: > > > > [...] > > > >>>> The hostname "google.com" isn't blocked since its current ip differs from its previous ip when pf has loaded the rule, what can I do in order to be able to block such sites (with many ip addresses)? > >>> > >>> I would use tables and populate them periodically from shell script which can do FQDN to many IPs resolution. > >>> > >>> It can be simple as this > >>> > >>> host yahoo.com | awk '$0 ~ /has address/ { print $4 }' > /var/run/pf.yahoo_table > >>> pfctl -t yahoo_table -T replace -f /var/run/pf.yahoo.table > >>> > >>> I am sure you will find better solution :) > >>> > >>> Miroslav Lachman > >> Thanks for your answer, it is an interested idea. > >> > >> However, is this method of update periodically the pf tables not disturb or burden the performance of the pf filter engine especially if the script that update the tables runs too often? > > > > > > How often is "too often"? > > I think that updating the tables every 5 minutes is enough (no one uses shorter TTL for DNS entries) > > The nicest thing on PF tables is you don't need to reload PF and tables can live in memory (not need for persistent file on filesystem) so all operations are really quick. > > Our PF firewalls are using tables with thousands of entries without any issues. > > I don't see any trouble even if you will update tables each minute. > > > > Miroslav Lachman > > Thanks again for replying. > > I don't know why, but even refresh rate of one minute isn't enough for the domains google.com or gmail.com. > > Even immediately after I load the table which has the rule to block the above mentioned domains I am still able to access those domains. Sometimes it is indeed blocked for a half of a minute but finally the chromium browser succeed to load them. If you are looking at blocking HTTP traffic the only way I am aware to effectively block that without jumping through a lot of hoops is to use something like squid which can block based on domain, no matter what the current IP address returned from DNS is. You can use PF to transparently proxy traffic exiting your gateway to squid so there is no need to worry about proxy settings in the browser(s) www.google.com DNS TTLs are 5 minutes so you shouldn't have to worry about the IP changing in less then a minute UNLESS your PF firewall and your browser use different DNS servers and could therefore get different answers Regards, Gary From owner-freebsd-pf@freebsd.org Wed Jun 15 08:12:12 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C236FA097C6 for ; Wed, 15 Jun 2016 08:12:12 +0000 (UTC) (envelope-from atar.yosef@gmail.com) Received: from mail-wm0-x244.google.com (mail-wm0-x244.google.com [IPv6:2a00:1450:400c:c09::244]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 555141C9A for ; Wed, 15 Jun 2016 08:12:12 +0000 (UTC) (envelope-from atar.yosef@gmail.com) Received: by mail-wm0-x244.google.com with SMTP id r5so3925749wmr.0 for ; Wed, 15 Jun 2016 01:12:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-transfer-encoding:subject:references:from:mime-version :in-reply-to:message-id:date:cc:to; bh=KO5/5dEkAlS5T65niTzoDTFyfO6ebSIkMKWWDRMKeg4=; b=OatPeYdxpUgWTwI7Wy/nfa2h4IUULCy8HPhOKKZ3bGqgRaQy1dfC1CX2GK7wOuSsIw GTPynrlIkKkU5hyYdYU0Le0GJ6FzsUQ5vVBOE6SdW5cVcJix57L74xnvyGzcUsOlxTrP sBTTcZgahbZ86FwW9UJsRn/Bfb0LHQZiVyHBsUhQmWCprUpUlKvcays0TqQHvstUEv9/ +nTsIDNAooE+Gjp2rKe7ljRV1zLE8oF2MxOq2Lbw31cVWUOcOMU5WYwv6k4vGUiPHWTl kF1oy3eh9QbTImzfc+LJHsybDNGC8ad+TzMrWp70EEchuW0l2o3MVcLl8fYJDf+Ict5c VLvw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-transfer-encoding:subject:references :from:mime-version:in-reply-to:message-id:date:cc:to; bh=KO5/5dEkAlS5T65niTzoDTFyfO6ebSIkMKWWDRMKeg4=; b=C/aIaPiQ6qPC5oswsWqcGJF4soamBcObDKUI+NXmJdeXB6PFDaes7x6zNYDElFa6GN I6RDcic5ptyI7xffjA1r5XI+31c1R4RCqho/M7j0MhyDIj7GfuDUqQQx4mL/8WJpLoP1 fQm+cpdvb1/n8EtX+5IA9drjaopDyLAQL9dwo8t+Og8kLqqhRAx5wZwNQ7uUs8VaJSRR k2VpjAfRVML4cRbF0gWwwX4KuaplCXRZTw9MZFMmJA78jd1MQC/rIvhZIibKudAYHCo8 l+P58Wau0mVTvGpnLTJ5/QY9pccCZraBwqDHy1F65wHh2/jrBBkRyWxcBcxrasSlYF4v ssKw== X-Gm-Message-State: ALyK8tIotP/OmosxJ9NzKwNjFzWGTpjCZyDx47flSoGCNOMj8o4ac1B1MBpz16iXx9xvlA== X-Received: by 10.194.109.199 with SMTP id hu7mr10004358wjb.6.1465978330668; Wed, 15 Jun 2016 01:12:10 -0700 (PDT) Received: from [192.168.20.5] ([212.29.194.245]) by smtp.gmail.com with ESMTPSA id s123sm1980437wmb.15.2016.06.15.01.12.09 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 15 Jun 2016 01:12:10 -0700 (PDT) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Subject: Re: Filter connections based on the hostname. References: <5858A82C-FB66-4D67-A676-47EABED976CE@gmail.com> <57600481.6080204@quip.cz> <08195C33-DC97-4ADD-9C0A-D9493E2C29F7@gmail.com> <57602DEC.6080201@quip.cz> <969F8F1C-E992-4F47-89F9-759FD8CE2B91@gmail.com> <576055AC.9020605@quip.cz> From: atar Mime-Version: 1.0 (1.0) In-Reply-To: <576055AC.9020605@quip.cz> Message-Id: Date: Wed, 15 Jun 2016 11:11:54 +0300 Cc: "freebsd-pf@freebsd.org" To: Miroslav Lachman <000.fbsd@quip.cz> X-Mailer: iPod Mail (10B500) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Jun 2016 08:12:12 -0000 > atar wrote on 06/14/2016 20:29: >>> atar wrote on 06/14/2016 16:05: >>>>> atar wrote on 06/14/2016 14:52: >>>=20 >>> [...] >>>=20 >>>>>> The hostname "google.com" isn't blocked since its current ip differs f= rom its previous ip when pf has loaded the rule, what can I do in order to b= e able to block such sites (with many ip addresses)? >>>>>=20 >>>>> I would use tables and populate them periodically from shell script wh= ich can do FQDN to many IPs resolution. >>>>>=20 >>>>> It can be simple as this >>>>>=20 >>>>> host yahoo.com | awk '$0 ~ /has address/ { print $4 }' > /var/run/pf.y= ahoo_table >>>>> pfctl -t yahoo_table -T replace -f /var/run/pf.yahoo.table >>>>>=20 >>>>> I am sure you will find better solution :) >>>>>=20 >>>>> Miroslav Lachman >>>> Thanks for your answer, it is an interested idea. >>>>=20 >>>> However, is this method of update periodically the pf tables not distur= b or burden the performance of the pf filter engine especially if the script= that update the tables runs too often? >>>=20 >>>=20 >>> How often is "too often"? >>> I think that updating the tables every 5 minutes is enough (no one uses s= horter TTL for DNS entries) >>> The nicest thing on PF tables is you don't need to reload PF and tables c= an live in memory (not need for persistent file on filesystem) so all operat= ions are really quick. >>> Our PF firewalls are using tables with thousands of entries without any i= ssues. >>> I don't see any trouble even if you will update tables each minute. >>>=20 >>> Miroslav Lachman >>=20 >> Thanks again for replying. >>=20 >> I don't know why, but even refresh rate of one minute isn't enough for th= e domains google.com or gmail.com. >>=20 >> Even immediately after I load the table which has the rule to block the a= bove mentioned domains I am still able to access those domains. Sometimes it= is indeed blocked for a half of a minute but finally the chromium browser s= ucceed to load them. >>=20 >> Do you have any idea? >=20 > I am not sure but it can have something with keep-state. >=20 > If you have PF disabled, then start it, populate table and then make first= connection attempt (there should be no states), are you still able to conne= ct for a half minute? >=20 > You can check tables by: pfctl -vv -s Tables >=20 > and check states by: pfctl -vv -s state >=20 > Miroslav Lachman Hi there, I've tried your advice but pf report on error which says that keep state is n= ot make sense on block rules.= From owner-freebsd-pf@freebsd.org Wed Jun 15 11:29:27 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BCCE3A3187E for ; Wed, 15 Jun 2016 11:29:27 +0000 (UTC) (envelope-from atar.yosef@gmail.com) Received: from mail-wm0-x229.google.com (mail-wm0-x229.google.com [IPv6:2a00:1450:400c:c09::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4229F16BF; Wed, 15 Jun 2016 11:29:27 +0000 (UTC) (envelope-from atar.yosef@gmail.com) Received: by mail-wm0-x229.google.com with SMTP id f126so17459822wma.1; Wed, 15 Jun 2016 04:29:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-transfer-encoding:subject:references:from:in-reply-to :message-id:date:cc:to:mime-version; bh=VLLlq3atYFOo3eEaXq/VmOZ9c5bYc2MSgyt6IJrSKKY=; b=Y3PuGOZwBMTdAaLrQQqnghLPc8zUc4FnaK52uJ3bb1bP8X0bCZyd3cC1wdnykB1I3k cAYmgGbUlNVhJ7Tv3UUHnkjkKqfImvD04FMAufn3/xEo+p2fzIOLWFYVABIw7bDOZSrV lVhXpoFFsz+esQ0554SCcGopfRunQP5UrpXoLM2uuUIz9w0LjTSY2S+4Gzq+7tQruMi8 KnH15SDldy8yPT70RxeX0vIkbrqT4CDhYyIEb+z2sB+nZ0vMCuUbaGilzxia6hpEFR2/ /3ufOYDavDw+ECYFEZbusrPwqUFHUDYBVKM4JB3auj7Ah0C7biakt+yOlQFHdi7BbKAE v/nQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-transfer-encoding:subject:references :from:in-reply-to:message-id:date:cc:to:mime-version; bh=VLLlq3atYFOo3eEaXq/VmOZ9c5bYc2MSgyt6IJrSKKY=; b=fixldYSp14GDvo5xysKvzvUfc20qP5Dck9WvztTXKSXkEhwAejaU46DOYh6DGVx9U0 hwc/vRqe56JoKxwERAXncOIqnf8IYMFvAkZmPya90UgyCXLWUxOICWQD9T/j5e6SDEhV 2u9HnRs2FwZjFLVb7q2ssosKMQyQtnHmfKzg9t5yf9XKLgj8nCoBNgKeG6lSC24IazEX 1LKPf7HytTpNnUqJNiPOrmYtc89WHh4tm+3a/khz89cs0toRb8dCKotQ6vQ1KiK1c7DI axQ3i1i6vr7h0KZSXPA43tltP0UsCFrhOK0jMgvuLTWMgiOOVJaAcF+jVYtYPyUZrEHG VBww== X-Gm-Message-State: ALyK8tJFkek/hfhhW0MchS/Oqociwl0OznvHcVFLPaYm+jKJ8sL5M/MyYew07PrCR3/5/g== X-Received: by 10.194.42.69 with SMTP id m5mr11315271wjl.89.1465990165720; Wed, 15 Jun 2016 04:29:25 -0700 (PDT) Received: from [192.168.20.5] ([212.29.194.245]) by smtp.gmail.com with ESMTPSA id uq7sm37870016wjc.19.2016.06.15.04.29.24 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 15 Jun 2016 04:29:25 -0700 (PDT) Subject: Re: Filter connections based on the hostname. References: <5858A82C-FB66-4D67-A676-47EABED976CE@gmail.com> <57600481.6080204@quip.cz> <08195C33-DC97-4ADD-9C0A-D9493E2C29F7@gmail.com> <57602DEC.6080201@quip.cz> <969F8F1C-E992-4F47-89F9-759FD8CE2B91@gmail.com> <20160614202243.GA81528@in-addr.com> From: atar In-Reply-To: <20160614202243.GA81528@in-addr.com> Message-Id: <9B910AFC-8E2F-44CF-B7A0-C241FDDAB4A9@gmail.com> Date: Wed, 15 Jun 2016 14:28:56 +0300 Cc: "freebsd-pf@freebsd.org" , Miroslav Lachman <000.fbsd@quip.cz> To: Gary Palmer Mime-Version: 1.0 (1.0) X-Mailer: iPod Mail (10B500) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.22 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Jun 2016 11:29:27 -0000 > On Tue, Jun 14, 2016 at 09:29:33PM +0300, atar wrote: >>> atar wrote on 06/14/2016 16:05: >>>>> atar wrote on 06/14/2016 14:52: >>>=20 >>> [...] >>>=20 >>>>>> The hostname "google.com" isn't blocked since its current ip differs f= rom its previous ip when pf has loaded the rule, what can I do in order to b= e able to block such sites (with many ip addresses)? >>>>>=20 >>>>> I would use tables and populate them periodically from shell script wh= ich can do FQDN to many IPs resolution. >>>>>=20 >>>>> It can be simple as this >>>>>=20 >>>>> host yahoo.com | awk '$0 ~ /has address/ { print $4 }' > /var/run/pf.y= ahoo_table >>>>> pfctl -t yahoo_table -T replace -f /var/run/pf.yahoo.table >>>>>=20 >>>>> I am sure you will find better solution :) >>>>>=20 >>>>> Miroslav Lachman >>>> Thanks for your answer, it is an interested idea. >>>>=20 >>>> However, is this method of update periodically the pf tables not distur= b or burden the performance of the pf filter engine especially if the script= that update the tables runs too often? >>>=20 >>>=20 >>> How often is "too often"? >>> I think that updating the tables every 5 minutes is enough (no one uses s= horter TTL for DNS entries) >>> The nicest thing on PF tables is you don't need to reload PF and tables c= an live in memory (not need for persistent file on filesystem) so all operat= ions are really quick. >>> Our PF firewalls are using tables with thousands of entries without any i= ssues. >>> I don't see any trouble even if you will update tables each minute. >>>=20 >>> Miroslav Lachman >>=20 >> Thanks again for replying. >>=20 >> I don't know why, but even refresh rate of one minute isn't enough for th= e domains google.com or gmail.com. >>=20 >> Even immediately after I load the table which has the rule to block the a= bove mentioned domains I am still able to access those domains. Sometimes it= is indeed blocked for a half of a minute but finally the chromium browser s= ucceed to load them. >=20 > If you are looking at blocking HTTP traffic the only way I am aware to > effectively block that without jumping through a lot of hoops is to > use something like squid which can block based on domain, no matter what > the current IP address returned from DNS is. You can use PF to > transparently proxy traffic exiting your gateway to squid so there > is no need to worry about proxy settings in the browser(s) >=20 >=20 > www.google.com DNS TTLs are 5 minutes so you shouldn't have to worry > about the IP changing in less then a minute UNLESS your PF firewall > and your browser use different DNS servers and could therefore get > different answers >=20 > Regards, >=20 > Gary Hi Gary and thanks for replying. After some searching I've found that page: https://doc.pfsense.org/index.php= /Blocking_websites which says similar things as you said, especially on host= names that have wide range of ips. Thank you men about your kind support! Atar.= From owner-freebsd-pf@freebsd.org Wed Jun 15 11:58:51 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AA238A444A4 for ; Wed, 15 Jun 2016 11:58:51 +0000 (UTC) (envelope-from kpaasial@gmail.com) Received: from mail-oi0-x22b.google.com (mail-oi0-x22b.google.com [IPv6:2607:f8b0:4003:c06::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 6EF341BEB for ; Wed, 15 Jun 2016 11:58:51 +0000 (UTC) (envelope-from kpaasial@gmail.com) Received: by mail-oi0-x22b.google.com with SMTP id u201so29779445oie.0 for ; Wed, 15 Jun 2016 04:58:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=YPpSnkYa1qq70gs+gCOnyg2V7tDvGY1D+ji6VJKUBKg=; b=f2hRHhdXDQmkdrAtCISzP4lYTyCWXU2GBsv3jl6NlxpTV0wTn1KIgLp1VnW+1WzAtL kIx+8OC87u/Xqj1NpyQNjAEj1rxOrimhhOU5oGbXzXWUQUtJy5EN0oqmMc7KU749lelZ 00KZ3yKwI4Nmbtl024soTbc8A71x5rYSrwPiB0Xuv9B5ZgwEfPSppxel14qn4mYpTzF/ UY1gMJRSxaBba48BtPp6zs7SCTyeEQPUNk0goSx2T9kyyhDmGQfJ9zXB+E8ykmVx19fV PnsvlBW2dqo2hUthaNV5V9lrDfimHm4mNNXwpmeI3Q0c1nDDVXtxwqFDX8J9dFQJvZUV CRZw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=YPpSnkYa1qq70gs+gCOnyg2V7tDvGY1D+ji6VJKUBKg=; b=TJyNcushVbiJgeuTg7CHS/l3TNC2/DtVNFQgwwUiypDK7QhKUP1RE5QkHUBlvzDq8U zVO1iOwOUg2i5t+y77ucXzaO6Ojw/k/ZH3pBtKSUK2LZXNtu6MFI7BrXoNl/KEkrJRKS P2Pz69QOmx8UNcAVSpTovR7SQNQ91V70vZNqwwdEBlO4bqHDk8O6G2Th/yCTWW+0FxVT g+4ePcmt+JHAB9gwciLSmnZQt4h5iwEoAiP1t3wFYQRhbV0qO+RPjMSOWCIOsqcgVtzp gq71CATD+NgCPPQiZvPD0QJ24IXNLmSYlwwMfLYXlLVwoo3iyMrwoLCFIIXo7BZzq/GF fTKg== X-Gm-Message-State: ALyK8tJeBWI84J809UQfrqZv/UhFjilmSzuwbDqcgIJxJNi5mrVPIyH0a0qo1gVYaM+PTPpImLO1i+M76FINcA== X-Received: by 10.202.193.215 with SMTP id r206mr12198445oif.109.1465991930727; Wed, 15 Jun 2016 04:58:50 -0700 (PDT) MIME-Version: 1.0 Received: by 10.157.16.76 with HTTP; Wed, 15 Jun 2016 04:58:50 -0700 (PDT) In-Reply-To: References: <5858A82C-FB66-4D67-A676-47EABED976CE@gmail.com> <57600481.6080204@quip.cz> <08195C33-DC97-4ADD-9C0A-D9493E2C29F7@gmail.com> <57602DEC.6080201@quip.cz> <969F8F1C-E992-4F47-89F9-759FD8CE2B91@gmail.com> <576055AC.9020605@quip.cz> From: Kimmo Paasiala Date: Wed, 15 Jun 2016 14:58:50 +0300 Message-ID: Subject: Re: Filter connections based on the hostname. To: atar Cc: Miroslav Lachman <000.fbsd@quip.cz>, "freebsd-pf@freebsd.org" Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Jun 2016 11:58:51 -0000 On Wed, Jun 15, 2016 at 11:11 AM, atar wrote: >> atar wrote on 06/14/2016 20:29: >>>> atar wrote on 06/14/2016 16:05: >>>>>> atar wrote on 06/14/2016 14:52: >>>> >>>> [...] >>>> >>>>>>> The hostname "google.com" isn't blocked since its current ip differs from its previous ip when pf has loaded the rule, what can I do in order to be able to block such sites (with many ip addresses)? >>>>>> >>>>>> I would use tables and populate them periodically from shell script which can do FQDN to many IPs resolution. >>>>>> >>>>>> It can be simple as this >>>>>> >>>>>> host yahoo.com | awk '$0 ~ /has address/ { print $4 }' > /var/run/pf.yahoo_table >>>>>> pfctl -t yahoo_table -T replace -f /var/run/pf.yahoo.table >>>>>> >>>>>> I am sure you will find better solution :) >>>>>> >>>>>> Miroslav Lachman >>>>> Thanks for your answer, it is an interested idea. >>>>> >>>>> However, is this method of update periodically the pf tables not disturb or burden the performance of the pf filter engine especially if the script that update the tables runs too often? >>>> >>>> >>>> How often is "too often"? >>>> I think that updating the tables every 5 minutes is enough (no one uses shorter TTL for DNS entries) >>>> The nicest thing on PF tables is you don't need to reload PF and tables can live in memory (not need for persistent file on filesystem) so all operations are really quick. >>>> Our PF firewalls are using tables with thousands of entries without any issues. >>>> I don't see any trouble even if you will update tables each minute. >>>> >>>> Miroslav Lachman >>> >>> Thanks again for replying. >>> >>> I don't know why, but even refresh rate of one minute isn't enough for the domains google.com or gmail.com. >>> >>> Even immediately after I load the table which has the rule to block the above mentioned domains I am still able to access those domains. Sometimes it is indeed blocked for a half of a minute but finally the chromium browser succeed to load them. >>> >>> Do you have any idea? >> >> I am not sure but it can have something with keep-state. >> >> If you have PF disabled, then start it, populate table and then make first connection attempt (there should be no states), are you still able to connect for a half minute? >> >> You can check tables by: pfctl -vv -s Tables >> >> and check states by: pfctl -vv -s state >> >> Miroslav Lachman > > Hi there, > > I've tried your advice but pf report on error which says that keep state is not make sense on block rules. Keep state makes no sense on block rules as the error says, the block rules reject the packet without creating a state. States are created only by pass rules. -Kimmo From owner-freebsd-pf@freebsd.org Wed Jun 15 13:08:43 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 08B1AA1DEF2 for ; Wed, 15 Jun 2016 13:08:43 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 7D7C91263 for ; Wed, 15 Jun 2016 13:08:42 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 5A9A028422; Wed, 15 Jun 2016 15:08:38 +0200 (CEST) Received: from illbsd.quip.test (ip-86-49-16-209.net.upcbroadband.cz [86.49.16.209]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 45FAE28416; Wed, 15 Jun 2016 15:08:37 +0200 (CEST) Message-ID: <57615354.80201@quip.cz> Date: Wed, 15 Jun 2016 15:08:36 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:35.0) Gecko/20100101 Firefox/35.0 SeaMonkey/2.32 MIME-Version: 1.0 To: Kimmo Paasiala , atar CC: "freebsd-pf@freebsd.org" Subject: Re: Filter connections based on the hostname. References: <5858A82C-FB66-4D67-A676-47EABED976CE@gmail.com> <57600481.6080204@quip.cz> <08195C33-DC97-4ADD-9C0A-D9493E2C29F7@gmail.com> <57602DEC.6080201@quip.cz> <969F8F1C-E992-4F47-89F9-759FD8CE2B91@gmail.com> <576055AC.9020605@quip.cz> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Jun 2016 13:08:43 -0000 Kimmo Paasiala wrote on 06/15/2016 13:58: > On Wed, Jun 15, 2016 at 11:11 AM, atar wrote: >>> atar wrote on 06/14/2016 20:29: >>>>> atar wrote on 06/14/2016 16:05: >>>>>>> atar wrote on 06/14/2016 14:52: >>>>> >>>>> [...] >>>>> >>>>>>>> The hostname "google.com" isn't blocked since its current ip differs from its previous ip when pf has loaded the rule, what can I do in order to be able to block such sites (with many ip addresses)? >>>>>>> >>>>>>> I would use tables and populate them periodically from shell script which can do FQDN to many IPs resolution. >>>>>>> >>>>>>> It can be simple as this >>>>>>> >>>>>>> host yahoo.com | awk '$0 ~ /has address/ { print $4 }' > /var/run/pf.yahoo_table >>>>>>> pfctl -t yahoo_table -T replace -f /var/run/pf.yahoo.table >>>>>>> >>>>>>> I am sure you will find better solution :) >>>>>>> >>>>>>> Miroslav Lachman >>>>>> Thanks for your answer, it is an interested idea. >>>>>> >>>>>> However, is this method of update periodically the pf tables not disturb or burden the performance of the pf filter engine especially if the script that update the tables runs too often? >>>>> >>>>> >>>>> How often is "too often"? >>>>> I think that updating the tables every 5 minutes is enough (no one uses shorter TTL for DNS entries) >>>>> The nicest thing on PF tables is you don't need to reload PF and tables can live in memory (not need for persistent file on filesystem) so all operations are really quick. >>>>> Our PF firewalls are using tables with thousands of entries without any issues. >>>>> I don't see any trouble even if you will update tables each minute. >>>>> >>>>> Miroslav Lachman >>>> >>>> Thanks again for replying. >>>> >>>> I don't know why, but even refresh rate of one minute isn't enough for the domains google.com or gmail.com. >>>> >>>> Even immediately after I load the table which has the rule to block the above mentioned domains I am still able to access those domains. Sometimes it is indeed blocked for a half of a minute but finally the chromium browser succeed to load them. >>>> >>>> Do you have any idea? >>> >>> I am not sure but it can have something with keep-state. >>> >>> If you have PF disabled, then start it, populate table and then make first connection attempt (there should be no states), are you still able to connect for a half minute? >>> >>> You can check tables by: pfctl -vv -s Tables >>> >>> and check states by: pfctl -vv -s state >>> >>> Miroslav Lachman >> >> Hi there, >> >> I've tried your advice but pf report on error which says that keep state is not make sense on block rules. > > Keep state makes no sense on block rules as the error says, the block > rules reject the packet without creating a state. States are created > only by pass rules. In my previous post I talked about states created by another pass rules which can match packet too. It can take precedence over blocking rules. Maybe you can try block quick. But as already mentioned if you need to block just HTTP traffic then squid will be better solution. Miroslav Lachman From owner-freebsd-pf@freebsd.org Wed Jun 15 22:36:22 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 14192A4718C for ; Wed, 15 Jun 2016 22:36:22 +0000 (UTC) (envelope-from corpengineer@gmail.com) Received: from mail-oi0-x22f.google.com (mail-oi0-x22f.google.com [IPv6:2607:f8b0:4003:c06::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id CD9D51D89 for ; Wed, 15 Jun 2016 22:36:21 +0000 (UTC) (envelope-from corpengineer@gmail.com) Received: by mail-oi0-x22f.google.com with SMTP id w5so42537325oib.2 for ; Wed, 15 Jun 2016 15:36:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=6Fto8uO91QFJVDFqe9cg26S0ZNqd3w+QTz+4TLL6zYI=; b=uf0ZLOb4gbHLHHo9FLodztzkkoURIzYvxegHABiMCf5REmt/KXa9erlfETOSSygaWY T+6JrPo10h4+nLvOTcp2IlmZaQAhiEm3TgI5xWTSQYi4k0iLxqqeSwFmF3X0l1U6v30V XKjABAdUpHJyvVgXW219l4H41IgltQ1He8FYu4D55tS6lK9clHw2PTjb8e9xKiQgxjpR BBHN5nFXoiVYIX7z0vH28dKymwZ2RfULVuQ41xW1W0tnU8vQv5nLz3cptwzNulrNey3B l/lijT5xSSdfwLKdWewL5KT9cvEGNIFx8uTFa2yYS7hTDXAslmBFRnC3D2jGZDaEpOBK T8tw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=6Fto8uO91QFJVDFqe9cg26S0ZNqd3w+QTz+4TLL6zYI=; b=Ef0Ag3W4bURApD9GREQ8hbGVSH7sZDLrOznO86Dv/bPL3aQaudbRsVBtgB8Wcg+NYI W+UihBC/GhczI0CZF8V3zUc3cqCu1AR3neLSQU+M42nJIAKeNhBSBXu9Y8PrWiux6zDx cBTmCwkEvYytqkFPRdhmZ/6FAokwUwJmsqE0gDNn2coz7HMZbIjT3L/gV+sVaVsB/gXo bqsjoJ8YzKHgR+POOWkvdNWDWvs6uvieg1yqf5xUsxLG9R6a3l7FP6tAhwSD9+JXt3Vh xu9uhQc7AxdRLOolnFmkm/ZNiyM5V8MsnCMcwpx/QKTqAl0q7v6BBIt819nynFsQCYZH Eizg== X-Gm-Message-State: ALyK8tIuaAWI5wWXy0NTDmATrk93wEUKTOm15Erqpjt5VzeNV30/2CBUSy8nwLS6LXvvk2aLWY1C3hfRPwQiRg== X-Received: by 10.202.114.208 with SMTP id p199mr686320oic.169.1466030181135; Wed, 15 Jun 2016 15:36:21 -0700 (PDT) MIME-Version: 1.0 Received: by 10.157.49.17 with HTTP; Wed, 15 Jun 2016 15:36:20 -0700 (PDT) In-Reply-To: References: From: J Green Date: Wed, 15 Jun 2016 15:36:20 -0700 Message-ID: Subject: Re: Can pf simultaneously redirect to multiple, internal hosts To: Melissa Jenkins Cc: freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.22 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Jun 2016 22:36:22 -0000 The dup-to option seems to work. On the client systems, I do see the packets via tcpdump. In this case, the packets are syslog. However, this syslog traffic does not seem to make it to the syslog server, on this host. Am I missing something? Thank you. On Mon, May 16, 2016 at 4:53 AM, Melissa Jenkins < melissa-freebsd@littlebluecar.co.uk> wrote: > > > > > Sorry for not being more concise. Yes, I am looking at scenario number > > 1. Reading up on ng_tee, looks interesting. Thank you for the > > recommendation. > > > > On Thu, May 12, 2016 at 7:47 PM, Peter Jeremy > wrote: > > > >> On 2016-May-12 11:09:57 -0700, J Green wrote: > >>> Can pf simultaneously redirect to multiple, internal hosts? > >>> > >>> Source -> UDP traffic -> pf (redirection) -> Host1 > >>> -> Host2 > >>> -> Host3 > >> > > from man pf.conf: > > dup-to > The dup-to option creates a duplicate of the packet and routes > it > like route-to. The original packet gets routed as it normally > would. > > Not sure if that would do it but sounds promising. (Ie , I've not tried > it but have used route-to) > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@freebsd.org Thu Jun 16 07:16:41 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 587EAA69BFB for ; Thu, 16 Jun 2016 07:16:41 +0000 (UTC) (envelope-from atar.yosef@gmail.com) Received: from mail-wm0-x243.google.com (mail-wm0-x243.google.com [IPv6:2a00:1450:400c:c09::243]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 040011781; Thu, 16 Jun 2016 07:16:40 +0000 (UTC) (envelope-from atar.yosef@gmail.com) Received: by mail-wm0-x243.google.com with SMTP id m124so9069333wme.3; Thu, 16 Jun 2016 00:16:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-transfer-encoding:subject:references:from:mime-version :in-reply-to:message-id:date:cc:to; bh=GCTVydNriQ92NhnNEG13IKvnKQJGLUdJ5tlEkxOpnPo=; b=i2EG1wBLv8L9kIrlCBKIjf+AuaTzokOsNKMKrT7oSYl01VchCy9ao7t7SubssiQkct WIOeoDEvDBHko6fAChRz27YOaZ36iD11bHabhQUPdFTUwNc9Mrw9FH7tztUGl/lDKOyj oDPfM/ikL8Ghl9NQ1FCg5DofPsZCbEt/hDdEbX1vRp634U7wK20G0EfkJODVjbloiu6R w1Y5KPqXnLjiOzMXAGPaErDPi0lPdL+hvghKFYfK+dVspFY6mJo2X6EgxSoaricOSd0+ 4/qH96Y2CIKImTqjKPXdLbrbi3fDO9vA/BczO/68uTMPrFjipFMwkKCPgBxxx5n0wQjG iKog== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-transfer-encoding:subject:references :from:mime-version:in-reply-to:message-id:date:cc:to; bh=GCTVydNriQ92NhnNEG13IKvnKQJGLUdJ5tlEkxOpnPo=; b=NhA4h6ssPbtvHAE7lkkP8+Je3kzxbj5sYzYmQHxNCp2LIy60lQF1hK8++1H7/6SMAN N9zq+tOjfR85X31ZOZc3Y4RbJDQ3UXAXqJjjPwA+//lOoMVwq0hvhb8aXrjnwbt3c4/M /nPJcwtlTF7xLw0HWIC+H1+w4iPLTh9Ba6m2n7w57bVmwNlWeMO3gZG09qC4AA0In6n/ exmkIztw0Uo/mvwE1Q1I3cYYk45WIXy4Fn4lT9jqdiq1OFVDmk1i5m82j7IsG6BejmB3 nrTfwNiFGDztlPI/QPxmxF3QwrlgBVuKC/sx0wVFbrToK8d2QQ692bP5YtVTvCoQDJ1w esKQ== X-Gm-Message-State: ALyK8tL+p97zr8NRzg8yRId2RSNCNLfgEPHPggD+fnQ7QrGVBHn2Oz+nQjQlEqs15qOndA== X-Received: by 10.28.18.6 with SMTP id 6mr3089701wms.67.1466061399304; Thu, 16 Jun 2016 00:16:39 -0700 (PDT) Received: from [192.168.20.5] ([212.29.194.245]) by smtp.gmail.com with ESMTPSA id vu10sm32568680wjb.27.2016.06.16.00.16.38 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 16 Jun 2016 00:16:38 -0700 (PDT) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Subject: Re: Filter connections based on the hostname. References: <5858A82C-FB66-4D67-A676-47EABED976CE@gmail.com> <57600481.6080204@quip.cz> <08195C33-DC97-4ADD-9C0A-D9493E2C29F7@gmail.com> <57602DEC.6080201@quip.cz> <969F8F1C-E992-4F47-89F9-759FD8CE2B91@gmail.com> <20160614202243.GA81528@in-addr.com> From: atar Mime-Version: 1.0 (1.0) In-Reply-To: <20160614202243.GA81528@in-addr.com> Message-Id: <545E509D-7851-4D1E-9547-2B20D36DD04E@gmail.com> Date: Thu, 16 Jun 2016 10:15:40 +0300 Cc: Miroslav Lachman <000.fbsd@quip.cz>, "freebsd-pf@freebsd.org" To: Gary Palmer X-Mailer: iPod Mail (10B500) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Jun 2016 07:16:41 -0000 > On Tue, Jun 14, 2016 at 09:29:33PM +0300, atar wrote: >>> atar wrote on 06/14/2016 16:05: >>>>> atar wrote on 06/14/2016 14:52: >>>=20 >>> [...] >>>=20 >>>>>> The hostname "google.com" isn't blocked since its current ip differs f= rom its previous ip when pf has loaded the rule, what can I do in order to b= e able to block such sites (with many ip addresses)? >>>>>=20 >>>>> I would use tables and populate them periodically from shell script wh= ich can do FQDN to many IPs resolution. >>>>>=20 >>>>> It can be simple as this >>>>>=20 >>>>> host yahoo.com | awk '$0 ~ /has address/ { print $4 }' > /var/run/pf.y= ahoo_table >>>>> pfctl -t yahoo_table -T replace -f /var/run/pf.yahoo.table >>>>>=20 >>>>> I am sure you will find better solution :) >>>>>=20 >>>>> Miroslav Lachman >>>> Thanks for your answer, it is an interested idea. >>>>=20 >>>> However, is this method of update periodically the pf tables not distur= b or burden the performance of the pf filter engine especially if the script= that update the tables runs too often? >>>=20 >>>=20 >>> How often is "too often"? >>> I think that updating the tables every 5 minutes is enough (no one uses s= horter TTL for DNS entries) >>> The nicest thing on PF tables is you don't need to reload PF and tables c= an live in memory (not need for persistent file on filesystem) so all operat= ions are really quick. >>> Our PF firewalls are using tables with thousands of entries without any i= ssues. >>> I don't see any trouble even if you will update tables each minute. >>>=20 >>> Miroslav Lachman >>=20 >> Thanks again for replying. >>=20 >> I don't know why, but even refresh rate of one minute isn't enough for th= e domains google.com or gmail.com. >>=20 >> Even immediately after I load the table which has the rule to block the a= bove mentioned domains I am still able to access those domains. Sometimes it= is indeed blocked for a half of a minute but finally the chromium browser s= ucceed to load them. >=20 > If you are looking at blocking HTTP traffic the only way I am aware to > effectively block that without jumping through a lot of hoops is to > use something like squid which can block based on domain, no matter what > the current IP address returned from DNS is. You can use PF to > transparently proxy traffic exiting your gateway to squid so there > is no need to worry about proxy settings in the browser(s) >=20 >=20 > www.google.com DNS TTLs are 5 minutes so you shouldn't have to worry > about the IP changing in less then a minute UNLESS your PF firewall > and your browser use different DNS servers and could therefore get > different answers >=20 > Regards, >=20 > Gary Can you give me any hint how to cause PF to redirect all the traffic through= the squid proxy? I'm pretty new in them both (PF and squid). Regards, Atar.= From owner-freebsd-pf@freebsd.org Thu Jun 16 08:03:41 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 177C6A479F0 for ; Thu, 16 Jun 2016 08:03:41 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id CE1F01F71; Thu, 16 Jun 2016 08:03:40 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 1E96E2842F; Thu, 16 Jun 2016 10:03:32 +0200 (CEST) Received: from illbsd.quip.test (ip-86-49-16-209.net.upcbroadband.cz [86.49.16.209]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id CCF4328416; Thu, 16 Jun 2016 10:03:30 +0200 (CEST) Message-ID: <57625D52.1030607@quip.cz> Date: Thu, 16 Jun 2016 10:03:30 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:35.0) Gecko/20100101 Firefox/35.0 SeaMonkey/2.32 MIME-Version: 1.0 To: atar , Gary Palmer CC: "freebsd-pf@freebsd.org" Subject: Re: Filter connections based on the hostname. References: <5858A82C-FB66-4D67-A676-47EABED976CE@gmail.com> <57600481.6080204@quip.cz> <08195C33-DC97-4ADD-9C0A-D9493E2C29F7@gmail.com> <57602DEC.6080201@quip.cz> <969F8F1C-E992-4F47-89F9-759FD8CE2B91@gmail.com> <20160614202243.GA81528@in-addr.com> <545E509D-7851-4D1E-9547-2B20D36DD04E@gmail.com> In-Reply-To: <545E509D-7851-4D1E-9547-2B20D36DD04E@gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Jun 2016 08:03:41 -0000 atar wrote on 06/16/2016 09:15: [...] >> www.google.com DNS TTLs are 5 minutes so you shouldn't have to worry >> about the IP changing in less then a minute UNLESS your PF firewall >> and your browser use different DNS servers and could therefore get >> different answers >> >> Regards, >> >> Gary > > Can you give me any hint how to cause PF to redirect all the traffic through the squid proxy? I'm pretty new in them both (PF and squid). You can find basic config here http://wiki.squid-cache.org/ConfigExamples/Intercept/FreeBsdPf Squid can be installed from ports / packages http://www.freshports.org/www/squid/ Miroslav Lachman From owner-freebsd-pf@freebsd.org Thu Jun 16 08:08:46 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D9B48A47B59 for ; Thu, 16 Jun 2016 08:08:46 +0000 (UTC) (envelope-from maximos@als.nnov.ru) Received: from mx.als.nnov.ru (mx.als.nnov.ru [95.79.102.161]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8ABF61245 for ; Thu, 16 Jun 2016 08:08:46 +0000 (UTC) (envelope-from maximos@als.nnov.ru) Received: from [10.4.1.100] by mx.als.nnov.ru with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.86_2 (FreeBSD)) (envelope-from ) id 1bDRyw-000FiW-RA for freebsd-pf@freebsd.org; Thu, 16 Jun 2016 10:44:54 +0300 Subject: Re: Filter connections based on the hostname. To: freebsd-pf@freebsd.org References: <5858A82C-FB66-4D67-A676-47EABED976CE@gmail.com> <57600481.6080204@quip.cz> <08195C33-DC97-4ADD-9C0A-D9493E2C29F7@gmail.com> <57602DEC.6080201@quip.cz> <969F8F1C-E992-4F47-89F9-759FD8CE2B91@gmail.com> <20160614202243.GA81528@in-addr.com> <545E509D-7851-4D1E-9547-2B20D36DD04E@gmail.com> From: Max Message-ID: <5f371d10-49ca-074b-cff2-ffb2d8830941@als.nnov.ru> Date: Thu, 16 Jun 2016 10:44:54 +0300 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.1.1 MIME-Version: 1.0 In-Reply-To: <545E509D-7851-4D1E-9547-2B20D36DD04E@gmail.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Jun 2016 08:08:47 -0000 Give a try to google :) site:squid-cache.org pf firewall 16.06.2016 10:15, atar пишет: >> On Tue, Jun 14, 2016 at 09:29:33PM +0300, atar wrote: >>>> atar wrote on 06/14/2016 16:05: >>>>>> atar wrote on 06/14/2016 14:52: >>>> [...] >>>> >>>>>>> The hostname "google.com" isn't blocked since its current ip differs from its previous ip when pf has loaded the rule, what can I do in order to be able to block such sites (with many ip addresses)? >>>>>> I would use tables and populate them periodically from shell script which can do FQDN to many IPs resolution. >>>>>> >>>>>> It can be simple as this >>>>>> >>>>>> host yahoo.com | awk '$0 ~ /has address/ { print $4 }' > /var/run/pf.yahoo_table >>>>>> pfctl -t yahoo_table -T replace -f /var/run/pf.yahoo.table >>>>>> >>>>>> I am sure you will find better solution :) >>>>>> >>>>>> Miroslav Lachman >>>>> Thanks for your answer, it is an interested idea. >>>>> >>>>> However, is this method of update periodically the pf tables not disturb or burden the performance of the pf filter engine especially if the script that update the tables runs too often? >>>> >>>> How often is "too often"? >>>> I think that updating the tables every 5 minutes is enough (no one uses shorter TTL for DNS entries) >>>> The nicest thing on PF tables is you don't need to reload PF and tables can live in memory (not need for persistent file on filesystem) so all operations are really quick. >>>> Our PF firewalls are using tables with thousands of entries without any issues. >>>> I don't see any trouble even if you will update tables each minute. >>>> >>>> Miroslav Lachman >>> Thanks again for replying. >>> >>> I don't know why, but even refresh rate of one minute isn't enough for the domains google.com or gmail.com. >>> >>> Even immediately after I load the table which has the rule to block the above mentioned domains I am still able to access those domains. Sometimes it is indeed blocked for a half of a minute but finally the chromium browser succeed to load them. >> If you are looking at blocking HTTP traffic the only way I am aware to >> effectively block that without jumping through a lot of hoops is to >> use something like squid which can block based on domain, no matter what >> the current IP address returned from DNS is. You can use PF to >> transparently proxy traffic exiting your gateway to squid so there >> is no need to worry about proxy settings in the browser(s) >> >> >> www.google.com DNS TTLs are 5 minutes so you shouldn't have to worry >> about the IP changing in less then a minute UNLESS your PF firewall >> and your browser use different DNS servers and could therefore get >> different answers >> >> Regards, >> >> Gary > Can you give me any hint how to cause PF to redirect all the traffic through the squid proxy? I'm pretty new in them both (PF and squid). > > Regards, > > Atar. > _______________________________________________ > freebsd-pf@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@freebsd.org Thu Jun 16 08:45:56 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 21892A44A31 for ; Thu, 16 Jun 2016 08:45:56 +0000 (UTC) (envelope-from atar.yosef@gmail.com) Received: from mail-wm0-x233.google.com (mail-wm0-x233.google.com [IPv6:2a00:1450:400c:c09::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A5BB8175E; Thu, 16 Jun 2016 08:45:55 +0000 (UTC) (envelope-from atar.yosef@gmail.com) Received: by mail-wm0-x233.google.com with SMTP id k184so30750501wme.1; Thu, 16 Jun 2016 01:45:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=references:mime-version:in-reply-to:content-transfer-encoding :message-id:cc:from:subject:date:to; bh=x/dr0/wpkKim+ugtvS0pV+pME0VZ9Kv7BfiYlfB+6zQ=; b=o4hHruMjHez4fO4pe5NyQLn/RQ54l7J6VM28getbj7XijyvGou8TObX6HhyO6E5biZ edEJm3YCcdZy7r8YhpiyQKvfou9L+QXJZFlLNjAi5mFG0s+dSVYovJkZz6PLgYSLbf5U JCuT6BikzebTJij1hJO9Sl9PZtzG7CmxlKgkN0DcA1SnopkQZfLuQkKMePbHahG5kexy 7yG3YFA4BN92oDODv+Y/DETgvtDwHTyKp2N5MB2Z45Jsg04BlbBJ2DNCN/cvuaO/DCMz gn1jelv5yg5k+Fq/E59KwDWknVKtIGo+5QEtkAoi9yxugcmkiKyj2rN1klYWNe5p1FZ3 S7FQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:references:mime-version:in-reply-to :content-transfer-encoding:message-id:cc:from:subject:date:to; bh=x/dr0/wpkKim+ugtvS0pV+pME0VZ9Kv7BfiYlfB+6zQ=; b=lUeS+cZiqSlYVW+qrH4XhQekeSfaaSflFZszVvBQM9H4Jq27KodSFSPH5kSYMGUP5R OQUSGZWZHzEJToGLGXpXjNidhraEPEENqwllkqUwyo9aeSCGerWcgB0jMheDdM8HRTJQ KkJhHsqPRCy9O6mGxl8HsNpfF40v0oRtMq9oEwfmFRxBqXvNPeDe1+sC639UBO30Ub2T 38lKX+XqEv0/gHvdRHYDhjCbLyizKy1BF02runYXchsjd84Mt6ByUEsvoO3eZQLdZoSR uAvYnAjaJWoEUzCzP1bpqKbuTQvhL/SuVYzAmLR0tyVISPn49jUBwESY69Y48Ax6cxH6 vtwg== X-Gm-Message-State: ALyK8tLpjMApb0RCkJQHEKtZlPhhp/z0YrPTuYOtkLcC69ywKATvyVJEjEWnYLSWLYZESQ== X-Received: by 10.28.167.69 with SMTP id q66mr3533564wme.100.1466066753894; Thu, 16 Jun 2016 01:45:53 -0700 (PDT) Received: from [192.168.20.5] ([212.29.194.245]) by smtp.gmail.com with ESMTPSA id u71sm13696857wmu.13.2016.06.16.01.45.53 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 16 Jun 2016 01:45:53 -0700 (PDT) References: <5858A82C-FB66-4D67-A676-47EABED976CE@gmail.com> <57600481.6080204@quip.cz> <08195C33-DC97-4ADD-9C0A-D9493E2C29F7@gmail.com> <57602DEC.6080201@quip.cz> <969F8F1C-E992-4F47-89F9-759FD8CE2B91@gmail.com> <20160614202243.GA81528@in-addr.com> <545E509D-7851-4D1E-9547-2B20D36DD04E@gmail.com> <57625D52.1030607@quip.cz> Mime-Version: 1.0 (1.0) In-Reply-To: <57625D52.1030607@quip.cz> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Message-Id: Cc: Gary Palmer , "freebsd-pf@freebsd.org" X-Mailer: iPod Mail (10B500) From: atar Subject: Re: Filter connections based on the hostname. Date: Thu, 16 Jun 2016 11:45:48 +0300 To: Miroslav Lachman <000.fbsd@quip.cz> X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Jun 2016 08:45:56 -0000 > atar wrote on 06/16/2016 09:15: >=20 > [...] >=20 >>> www.google.com DNS TTLs are 5 minutes so you shouldn't have to worry >>> about the IP changing in less then a minute UNLESS your PF firewall >>> and your browser use different DNS servers and could therefore get >>> different answers >>>=20 >>> Regards, >>>=20 >>> Gary >>=20 >> Can you give me any hint how to cause PF to redirect all the traffic thro= ugh the squid proxy? I'm pretty new in them both (PF and squid). >=20 > You can find basic config here > http://wiki.squid-cache.org/ConfigExamples/Intercept/FreeBsdPf >=20 > Squid can be installed from ports / packages > http://www.freshports.org/www/squid/ >=20 > Miroslav Lachman Thanks you very much! I hope I'll find it helpful.= From owner-freebsd-pf@freebsd.org Thu Jun 16 11:39:05 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 89C40A703DB for ; Thu, 16 Jun 2016 11:39:05 +0000 (UTC) (envelope-from atar.yosef@gmail.com) Received: from mail-wm0-x241.google.com (mail-wm0-x241.google.com [IPv6:2a00:1450:400c:c09::241]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1D60414CE; Thu, 16 Jun 2016 11:39:05 +0000 (UTC) (envelope-from atar.yosef@gmail.com) Received: by mail-wm0-x241.google.com with SMTP id k184so10770473wme.2; Thu, 16 Jun 2016 04:39:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-transfer-encoding:subject:references:from:mime-version :in-reply-to:message-id:date:cc:to; bh=kdruJTDfCYL/Bjj5a/pIPn+40xZEvha/0Yg+I92ZQes=; b=F/tkH05NpGdtmgKreHOOa0FAZEVtYS5aXgsVnywW4Fs12kizeFZ4lHXWYJKH2JOzNn CgoAC1OAujXKTJl+6O/xk6JWT5kW4pX/v87MbdxDFq7p1AnDtHIi5kzTIdSadHwk6wdH 8q1AkzfrcWXnDOHfHmTydTZkkISdXwG/z67ZV4MJ9hyNYU9a1IX9K4OS0qVop+SHJRGm oXcMKSQkTkfMnNXRoccafY8nNZjiyU64tIqpyRupEbYcjJ0sR2egnpWdAnCBsWSDN868 wicYpWpfvzhEkpOxh74U2oZZ/aMZDH8k0yM3XenY4Qdz7swhE1mdpOLuHH+Hd96js6pu YvyQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-transfer-encoding:subject:references :from:mime-version:in-reply-to:message-id:date:cc:to; bh=kdruJTDfCYL/Bjj5a/pIPn+40xZEvha/0Yg+I92ZQes=; b=D1tjmMIOPkQNQD4IQlXEQrREO8HO6+ITWW5ffeUjEuCI5rxA1zYZyrZL3mL2MnThK1 j7bi/M+pb4T2vABD1CJAVyAtWOvChw+bfTwuIc7N5wnZ4x6wNaCnZl9Ftsj7atMaRA01 m23UerpIPi4oxoFljGNC8Hkxd3vNTv5GhIqn0wVVA07yMRmpYXNLsdpewH/yDjZ86w7H UvzLr3weOE+wC/L7p3GUjE2Lc8ZDqu21035cEKPIAp5GM3MI4bkYE+RfFwsDvVnpPwNX ViSuupHTF7OGF/FqZyT1CQqbbSXkGwJgDo3VBMH1vVnHVpr4R+j7E3SpQQ+QNI9Qzlu9 eOFw== X-Gm-Message-State: ALyK8tKOrKWE3NAapfsfSgaiqNsZ9rCoWH0/2se3gVaft8L79gv3yoVb/mCWUNaTQx37Ng== X-Received: by 10.28.69.134 with SMTP id l6mr13570762wmi.80.1466077142963; Thu, 16 Jun 2016 04:39:02 -0700 (PDT) Received: from [192.168.20.5] ([212.29.194.245]) by smtp.gmail.com with ESMTPSA id r6sm14501283wme.14.2016.06.16.04.39.01 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 16 Jun 2016 04:39:02 -0700 (PDT) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Subject: Re: Filter connections based on the hostname. References: <5858A82C-FB66-4D67-A676-47EABED976CE@gmail.com> <57600481.6080204@quip.cz> <08195C33-DC97-4ADD-9C0A-D9493E2C29F7@gmail.com> <57602DEC.6080201@quip.cz> <969F8F1C-E992-4F47-89F9-759FD8CE2B91@gmail.com> <20160614202243.GA81528@in-addr.com> <545E509D-7851-4D1E-9547-2B20D36DD04E@gmail.com> <57625D52.1030607@quip.cz> From: atar Mime-Version: 1.0 (1.0) In-Reply-To: <57625D52.1030607@quip.cz> Message-Id: Date: Thu, 16 Jun 2016 14:38:41 +0300 Cc: Gary Palmer , "freebsd-pf@freebsd.org" To: Miroslav Lachman <000.fbsd@quip.cz> X-Mailer: iPod Mail (10B500) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Jun 2016 11:39:05 -0000 > atar wrote on 06/16/2016 09:15: >=20 > [...] >=20 >>> www.google.com DNS TTLs are 5 minutes so you shouldn't have to worry >>> about the IP changing in less then a minute UNLESS your PF firewall >>> and your browser use different DNS servers and could therefore get >>> different answers >>>=20 >>> Regards, >>>=20 >>> Gary >>=20 >> Can you give me any hint how to cause PF to redirect all the traffic thro= ugh the squid proxy? I'm pretty new in them both (PF and squid). >=20 > You can find basic config here > http://wiki.squid-cache.org/ConfigExamples/Intercept/FreeBsdPf >=20 > Squid can be installed from ports / packages > http://www.freshports.org/www/squid/ >=20 > Miroslav Lachman Hi and thanks for your willing to help. Unfortunately, I didn't succeed to redirect the network traffic through the s= quid server. I've putted the following line in my pf.conf: rdr pass inet proto tcp from any to any -> 127.0.0.1 port 3128 since the squid server is listening on port 3128, but the traffic isn't goin= g through it. I've also verified that no traffic is redirected to port 3128 by running the= command: nc -l 3128. I've no idea what is wrong here.= From owner-freebsd-pf@freebsd.org Thu Jun 16 12:15:54 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id DF815A71AD7 for ; Thu, 16 Jun 2016 12:15:54 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A03401E0B; Thu, 16 Jun 2016 12:15:54 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 5521D2840C; Thu, 16 Jun 2016 14:15:51 +0200 (CEST) Received: from illbsd.quip.test (ip-86-49-16-209.net.upcbroadband.cz [86.49.16.209]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 9CBB828423; Thu, 16 Jun 2016 14:15:49 +0200 (CEST) Message-ID: <57629875.1000509@quip.cz> Date: Thu, 16 Jun 2016 14:15:49 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:35.0) Gecko/20100101 Firefox/35.0 SeaMonkey/2.32 MIME-Version: 1.0 To: atar CC: Gary Palmer , "freebsd-pf@freebsd.org" Subject: Re: Filter connections based on the hostname. References: <5858A82C-FB66-4D67-A676-47EABED976CE@gmail.com> <57600481.6080204@quip.cz> <08195C33-DC97-4ADD-9C0A-D9493E2C29F7@gmail.com> <57602DEC.6080201@quip.cz> <969F8F1C-E992-4F47-89F9-759FD8CE2B91@gmail.com> <20160614202243.GA81528@in-addr.com> <545E509D-7851-4D1E-9547-2B20D36DD04E@gmail.com> <57625D52.1030607@quip.cz> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Jun 2016 12:15:55 -0000 atar wrote on 06/16/2016 13:38: >> atar wrote on 06/16/2016 09:15: >>> Can you give me any hint how to cause PF to redirect all the traffic through the squid proxy? I'm pretty new in them both (PF and squid). >> >> You can find basic config here >> http://wiki.squid-cache.org/ConfigExamples/Intercept/FreeBsdPf >> >> Squid can be installed from ports / packages >> http://www.freshports.org/www/squid/ >> >> Miroslav Lachman > > Hi and thanks for your willing to help. > > Unfortunately, I didn't succeed to redirect the network traffic through the squid server. > > I've putted the following line in my pf.conf: > > rdr pass inet proto tcp from any to any -> 127.0.0.1 port 3128 > > since the squid server is listening on port 3128, but the traffic isn't going through it. > > I've also verified that no traffic is redirected to port 3128 by running the command: nc -l 3128. > > I've no idea what is wrong here. Are you trying to block traffic originating on machine with PF and Squid or is this machine firewall for LAN? I think you need to add port www (or port {80, 443}) to your rdr rule and also specify on which interface you want to do this translation. If you need to filter traffic from your LAN to outside world you need to specify LAN interface. Something like this rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port 3128 pass in on $int_if inet proto tcp from any to 127.0.0.1 port 3128 keep state pass out on $ext_if inet proto tcp from any to any port www keep state More resources can be found here http://serverfault.com/questions/490926/freebsd-pf-squid-transparent http://www.benzedrine.ch/transquid.html https://forums.freebsd.org/threads/10874/ Miroslav Lachman From owner-freebsd-pf@freebsd.org Thu Jun 16 13:17:08 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id F1918A47B51 for ; Thu, 16 Jun 2016 13:17:07 +0000 (UTC) (envelope-from atar.yosef@gmail.com) Received: from mail-wm0-x243.google.com (mail-wm0-x243.google.com [IPv6:2a00:1450:400c:c09::243]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 766FB1D05; Thu, 16 Jun 2016 13:17:07 +0000 (UTC) (envelope-from atar.yosef@gmail.com) Received: by mail-wm0-x243.google.com with SMTP id 187so9469443wmz.1; Thu, 16 Jun 2016 06:17:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-transfer-encoding:subject:references:from:mime-version :in-reply-to:message-id:date:cc:to; bh=b743Os6sEp22uHznliazc1aHVoht7uotv+vuFIWzs+w=; b=NIN60BUDYFW0D1eefwZXZr7YeYW7HMmshczPphmAkVhfd+39yHPtHI7HMAYLqQhuRb jNNCkDgX2PB5xiS1GjWH1j9wnPNB5y2zyrByk5ejeLXn3WA33G973McyI+VAZUdFo3UN nTD157xAcua1kE82YHqsX8iP6an+387ltQBPSNwGeM+t55N+hIC0ezgr8gH2Q39TYNBM TCo1Ls9dDA/j9G1hjGzJhIv2pcymV4yiZPV/bI+IzZlq6/ggL9C45Y2wk1OZr2oB2YBI H36FpRMqAH2fBqqbdONI84O6bSs8+0SMoS9+kG857RvW6AMnkspgcuxyyxF9+bo7fDUS 07jQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-transfer-encoding:subject:references :from:mime-version:in-reply-to:message-id:date:cc:to; bh=b743Os6sEp22uHznliazc1aHVoht7uotv+vuFIWzs+w=; b=PWCCDpDrRasCigkty3wlNvnz3CwgZ8UlRrffRi9iMCOco16Tnkf/rsLWC5YxZ9PuJb +it/QtewoAN9Ei/Cqdbnry/vYjXqfajjA1H0fOnjvvvQWBbmBqapiC1nPkmt0te05pVU aUZjnG0RSt8ATOyQAcpuGE0oqhbQlfIvwJLYUlQcZ5z2LF1Rgu/wwGd+4I8tKnuS85GK 6wAhtUGo6wWZSPVqsdE5o0qhxLCQdSVCZNEn0P2OylACS8ftehiAXmRuF1F6R74lroOy 4Gd0Bf90SQh0LbbdhbLI9REt+at7EAIDjfOp0ImWu/bnqEB2kU57cj3tRD8+JQ3Rs2Rh 3JWw== X-Gm-Message-State: ALyK8tLsLikg8j1Eg9Ucf45vlsfhAReKsilPklyi1KviVR7c2+GJ2onNzUGPTcHgbEtcbw== X-Received: by 10.28.178.135 with SMTP id b129mr15274703wmf.60.1466083025919; Thu, 16 Jun 2016 06:17:05 -0700 (PDT) Received: from [192.168.20.5] ([212.29.194.245]) by smtp.gmail.com with ESMTPSA id j4sm42941887wjg.20.2016.06.16.06.17.04 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 16 Jun 2016 06:17:05 -0700 (PDT) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Subject: Re: Filter connections based on the hostname. References: <5858A82C-FB66-4D67-A676-47EABED976CE@gmail.com> <57600481.6080204@quip.cz> <08195C33-DC97-4ADD-9C0A-D9493E2C29F7@gmail.com> <57602DEC.6080201@quip.cz> <969F8F1C-E992-4F47-89F9-759FD8CE2B91@gmail.com> <20160614202243.GA81528@in-addr.com> <545E509D-7851-4D1E-9547-2B20D36DD04E@gmail.com> <57625D52.1030607@quip.cz> <57629875.1000509@quip.cz> From: atar Mime-Version: 1.0 (1.0) In-Reply-To: <57629875.1000509@quip.cz> Message-Id: Date: Thu, 16 Jun 2016 16:00:33 +0300 Cc: Gary Palmer , "freebsd-pf@freebsd.org" To: Miroslav Lachman <000.fbsd@quip.cz> X-Mailer: iPod Mail (10B500) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Jun 2016 13:17:08 -0000 > atar wrote on 06/16/2016 13:38: >>> atar wrote on 06/16/2016 09:15: >=20 >>>> Can you give me any hint how to cause PF to redirect all the traffic th= rough the squid proxy? I'm pretty new in them both (PF and squid). >>>=20 >>> You can find basic config here >>> http://wiki.squid-cache.org/ConfigExamples/Intercept/FreeBsdPf >>>=20 >>> Squid can be installed from ports / packages >>> http://www.freshports.org/www/squid/ >>>=20 >>> Miroslav Lachman >>=20 >> Hi and thanks for your willing to help. >>=20 >> Unfortunately, I didn't succeed to redirect the network traffic through t= he squid server. >>=20 >> I've putted the following line in my pf.conf: >>=20 >> rdr pass inet proto tcp from any to any -> 127.0.0.1 port 3128 >>=20 >> since the squid server is listening on port 3128, but the traffic isn't g= oing through it. >>=20 >> I've also verified that no traffic is redirected to port 3128 by running t= he command: nc -l 3128. >>=20 >> I've no idea what is wrong here. >=20 > Are you trying to block traffic originating on machine with PF and Squid o= r is this machine firewall for LAN? >=20 > I think you need to add port www (or port {80, 443}) to your rdr rule and a= lso specify on which interface you want to do this translation. If you need t= o filter traffic from your LAN to outside world you need to specify LAN inte= rface. >=20 > Something like this >=20 > rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port 3= 128 >=20 > pass in on $int_if inet proto tcp from any to 127.0.0.1 port 3128 keep sta= te > pass out on $ext_if inet proto tcp from any to any port www keep state >=20 >=20 > More resources can be found here >=20 > http://serverfault.com/questions/490926/freebsd-pf-squid-transparent > http://www.benzedrine.ch/transquid.html > https://forums.freebsd.org/threads/10874/ >=20 > Miroslav Lachman I'm trying to block traffic originating on machine with PF and Squid. The Fre= eBSD machine resides inside a VirtualBox machine if it matters. Unfortunatel= y, your suggestion didn't cause it to work...= From owner-freebsd-pf@freebsd.org Thu Jun 16 15:08:17 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BC31CA72A6F for ; Thu, 16 Jun 2016 15:08:17 +0000 (UTC) (envelope-from stdin@niklaas.eu) Received: from box-hlm-03.niklaas.eu (box-hlm-03.niklaas.eu [84.22.110.84]) by mx1.freebsd.org (Postfix) with ESMTP id 7B6F41238 for ; Thu, 16 Jun 2016 15:08:17 +0000 (UTC) (envelope-from stdin@niklaas.eu) Received: by box-hlm-03.niklaas.eu (Postfix, from userid 1001) id 29520385519; Thu, 16 Jun 2016 17:08:10 +0200 (CEST) Date: Thu, 16 Jun 2016 17:08:10 +0200 From: Niklaas Baudet von Gersdorff To: freebsd-pf@freebsd.org Subject: Re: Filter connections based on the hostname. Message-ID: <20160616150810.GA83485@box-hlm-03.niklaas.eu> Mail-Followup-To: freebsd-pf@freebsd.org References: <57600481.6080204@quip.cz> <08195C33-DC97-4ADD-9C0A-D9493E2C29F7@gmail.com> <57602DEC.6080201@quip.cz> <969F8F1C-E992-4F47-89F9-759FD8CE2B91@gmail.com> <20160614202243.GA81528@in-addr.com> <545E509D-7851-4D1E-9547-2B20D36DD04E@gmail.com> <57625D52.1030607@quip.cz> <57629875.1000509@quip.cz> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="ibTvN161/egqYuK8" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.6.1 (2016-04-27) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Jun 2016 15:08:17 -0000 --ibTvN161/egqYuK8 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline atar [2016-06-16 16:00 +0300] : > I'm trying to block traffic originating on machine with PF and Squid. The FreeBSD machine resides inside a VirtualBox machine if it matters. Unfortunately, your suggestion didn't cause it to work... So you want to route (and filter) traffic from the virtual machine host through the virtual machine to the internet? Niklaas --ibTvN161/egqYuK8 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJXYsDMAAoJEG2fODeJrIU//KgP/0+bwtvc/z9Y+Bfe2g8EgduK QO0ipqa0e0YtUTTsQ55Tm2z1ax8dd7WujMgTY8NPXvTY2L60WrR7AhbMFDdCi+b3 WnyT6pY8aAvgDt8M1nW96CCCbXae7S2vl87aZWkczohd4QI468+JhzTZpyvLbczb 4jWB0zqZ9+FJkS6c5FiRdnse2eFPJkxnI/w2UlIw4tbHpzZ3OzOLXxjaF5luPPCA WE7Qj51nThFe5VlaNWCTSwZUGW6MSPo1VYBPiM7Sfn0avxyfJgWwc9nOKg5rE5xL Ku06FOtbVRJDjkg7DQz6xf6H7cMZP0hBsKEXeb7TlGrS16h2fo7Bw4mAAGzBDL/N cZMuMEq154jgdFkW/ZBYF1FIpWnBMPTwRei9H2AA3RfE0lSlG+kbzo/lpsdZJMmo KDdzbEOojlTUN4XCnz/+6pVRuT7KBDDlXKsIyMtjkG7LO7baqMYi7UCTdXAN8jGe FLWJ+ZkGQwWlg7Yw1f75OnCR7MU+D/3mh6noyEBFJb7elqrJth+lEvgr51cXJ8iI XMb/cuNAiZr+gwD9VOst2LdZX9x/JKvWqwWD9xsUBqDoJ3Z8Qo9XlhHpf+vG3cbS zsdWa/uXnPYicspxnxk4n+GlEAT3ghkCMYpzrIvo5YzPL/GzMvd9lm9o99tau+HZ UswfBf5zOwV63FEL0Bb7 =6MY5 -----END PGP SIGNATURE----- --ibTvN161/egqYuK8--