From nobody Tue Jun 13 20:17:52 2023 X-Original-To: stable@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Qgfxj2x6Qz4djhZ for ; Tue, 13 Jun 2023 20:18:01 +0000 (UTC) (envelope-from george+freebsd@m5p.com) Received: from mailhost.m5p.com (mailhost.m5p.com [74.104.188.4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "m5p.com", Issuer "R3" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Qgfxj0yz1z3nrF for ; Tue, 13 Jun 2023 20:18:01 +0000 (UTC) (envelope-from george+freebsd@m5p.com) Authentication-Results: mx1.freebsd.org; none Received: from [IPV6:2001:470:1f07:15ff::26] (court.m5p.com [IPv6:2001:470:1f07:15ff:0:0:0:26]) (authenticated bits=0) by mailhost.m5p.com (8.16.1/8.15.2) with ESMTPSA id 35DKHr47046011 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO); Tue, 13 Jun 2023 16:17:58 -0400 (EDT) (envelope-from george+freebsd@m5p.com) Message-ID: Date: Tue, 13 Jun 2023 16:17:52 -0400 List-Id: Production branch of FreeBSD source code List-Archive: https://lists.freebsd.org/archives/freebsd-stable List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-stable@freebsd.org X-BeenThere: freebsd-stable@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:102.0) Gecko/20100101 Thunderbird/102.10.0 Subject: Re: ipfilter block an vhost name To: ml@ft-c.de, stable@FreeBSD.org References: <4cb819068e68768a8ad32f558b2225464a823dba.camel@ft-c.de> Content-Language: en-US From: George Mitchell In-Reply-To: <4cb819068e68768a8ad32f558b2225464a823dba.camel@ft-c.de> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=0.0 required=10.0 tests=HELO_NO_DOMAIN,NICE_REPLY_A autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mattapan.m5p.com X-Rspamd-Queue-Id: 4Qgfxj0yz1z3nrF X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:701, ipnet:74.104.0.0/16, country:US]; TAGGED_FROM(0.00)[freebsd] X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-ThisMailContainsUnwantedMimeParts: N On 6/13/23 16:01, ft wrote: > Hello > > It is possible to block all in and/or out packages from an url > with no logging > any ports (or http and https) > > It seem it is a vhost, the ip have more url. > > my example: > block in from "brigitte.de" to any > block out from "brigitte.de" to any > > > Franz > > At the packet filtering level, all ipfilter has to go on are the source and destination IP addresses in the packet itself. So even if 'block in from "brigitte.de" to any' is syntactically acceptable in your rule set (I believe it is not), it's still blocking on the IP address to which the name resolves, not on the name. -- George