[Dnsmasq-discuss] Add IPs to BSD pf table from dnsmasq?
Andrew White
andywhite at gmail.com
Fri Dec 22 21:17:08 GMT 2017
I've used it for a while on freebsd without issue, configured as per
dnsmasq man page syntax
I would add to docs the risk that this feature can lead to a growing table
of ips that never gets pruned or expired, that could lead to allowing more
ip addrs within a Table over time, than might be anticipated. i.e. you
could end up that the hostname of the endpoint moves ip, but your firewall
still allows traffic from the old ip, under some circumstance this is a
significant risk. I use max-ttl feature of dnsmasq with the pf Table
expires feature to prune the table every 15 mins. YMMV as the client using
this feature would need to support re-resolving ip's.
A
On Tue, Dec 19, 2017 at 1:38 AM, Chen Wei <weichen302 at zoho.com> wrote:
> On Mon, Dec 18, 2017 at 07:21:37PM +0000, Simon Kelley wrote:
> > On 17/12/17 08:02, Chen Wei wrote:
> > > is very fast. Is it possible to add the results of DNS lookup to pf
> > > table from dnsmasq?
> > >
> > Yes, it is. pf tables is supported on BSD using the same --ipset
> > dnsmasq configuration option. Looking, there's not explicit
>
> This is great. Thanks!
>
>
> > documentation about this, which is bad. It should at least be mentioned
> > in the man page, and any BSD-specific information required added. Not
> > knowing BSD, I'm not sure exactly what that might be.
> > cheers,
> > Simon.
> >
>
> --
> Chen Wei
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20171222/38fe9162/attachment-0001.html>
More information about the Dnsmasq-discuss
mailing list