Quote:
Originally Posted by pawaan
...
it seems hard with a pass-everything policy as there is much to block ...
|
You wish to block "a few domains". Your problem, though, is that PF rules use IP addresses, not domains. Why is this a problem? Because a large domain can represents hundreds or thousands of individual IP addresses, and that pool of addresses is subject to constant change.
- As I wrote above, PF only conducts domain name to IP address resolution a) as an administrative convenience and b) at PF start time.
- PF can only resolve fully qualified domain names. For example, you may want to block all possible subdomains within facebook.com or fb.com. PF cannot resolve a wildcard representation such as *.facebook.com, so it cannot block by top level domain or by domain group.
Quote:
...should I rather do a block-everything then set pass rules ?...
|
A block all with passing exceptions does not seem to meet your needs, based on how you described them in this thread. I'll repeat what I stated earlier in this thread. Based upon your stated requirements, I believe you are trying to use the wrong tool.
PF is a wonderful hammer, but not every problem is a nail.
For your needs, I would look into using the
squid package; its a very popular tool used by many OpenBSD users to solve the problem you have presented here.