View Single Post
  #7   (View Single Post)  
Old 27th October 2013
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Quote:
Originally Posted by pawaan View Post
...
it seems hard with a pass-everything policy as there is much to block ...
You wish to block "a few domains". Your problem, though, is that PF rules use IP addresses, not domains. Why is this a problem? Because a large domain can represents hundreds or thousands of individual IP addresses, and that pool of addresses is subject to constant change.
  1. As I wrote above, PF only conducts domain name to IP address resolution a) as an administrative convenience and b) at PF start time.
  2. PF can only resolve fully qualified domain names. For example, you may want to block all possible subdomains within facebook.com or fb.com. PF cannot resolve a wildcard representation such as *.facebook.com, so it cannot block by top level domain or by domain group.
Quote:
...should I rather do a block-everything then set pass rules ?...
A block all with passing exceptions does not seem to meet your needs, based on how you described them in this thread. I'll repeat what I stated earlier in this thread. Based upon your stated requirements, I believe you are trying to use the wrong tool. PF is a wonderful hammer, but not every problem is a nail.

For your needs, I would look into using the squid package; its a very popular tool used by many OpenBSD users to solve the problem you have presented here.
Reply With Quote