|
|||
pf and big list of sites
Hello!
I've got a big list (2000) sites that boss wants to be blocked. The list is in format of a hosts file: Code:
127.0.0.1 badsite.com 127.0.0.1 anotherbadsite.com ... |
|
|||
Quote:
Alternatively you can use Unbound instead to block access to domains and proxy all DNS traffic via Unbound. This has advantage that subdomains can also be easily blocked, while it would be hard to enumerate all subdomains of domain and retrieve IP addresses for each of them.
__________________
Signature: Furthermore, I consider that systemd must be destroyed. Based on Latin oratorical phrase |
|
|||
Thanks, jggimi and e1-531g!
Indeed, I only have domain names without IP addresses. |
|
||||
A PF table-based solution is via individual IP addresses and network blocks.
The only domain resolution performed by PF is on individual FQDNs in rules files, and only once when the rules are first loaded. In practice, the boot sequence interferes unless loaded after boot through anchors.A DNS-based solution requires that all resolution requests are forced to pass through your nameserver for address resolution. I can think of many ways a client workstation or device can defeat that. One way to enforce domain inspection is to isolate your company's IP network from the Internet, and only permit access to it through a proxy server, where you have governance of domains, URLs, even TLS inspection. One of the built-in tools, relayd(8), can perform these tasks. See the man pages for relayd(8), relayd.conf(5), and take a look at the relayd.conf example file in /etc/examples. |
|
|||
We don't know about case OP wants to cover. Maybe just wants to block ads on owned laptop? In that case it is just a matter of pointing to loopback (127.0.0.1) in /etc/resolv.conf file.
__________________
Signature: Furthermore, I consider that systemd must be destroyed. Based on Latin oratorical phrase |
Tags |
pf hosts |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Dual WAN & HTTPS Sites | alpha202ej | OpenBSD Security | 1 | 31st January 2012 09:26 PM |
Java vulnerability - when lyric sites attack | J65nko | News | 0 | 15th April 2010 07:49 PM |
Best Way to sync web sites | roundkat | OpenBSD General | 2 | 14th September 2008 01:48 PM |
Collect visited sites | bichumo | General software and network | 3 | 8th August 2008 06:32 PM |
Cool sites | 18Googol2 | Off-Topic | 0 | 2nd May 2008 09:19 AM |