Can ipfw Rules Be Based On DNS Name

Michael Sierchio kudzu at tenebras.com
Thu Aug 12 00:20:45 UTC 2021


On Wed, Aug 11, 2021 at 4:38 PM Nathaniel Nigro <nathaniel.nigro at gmail.com>
wrote:

> Ipfw -q add 111 deny udp from (domain)  to any(or local ip) (port) in via
>

No.  You can add a rule for a FQDN, but that's only resolved at the time
you add the rule.  It's just an IP address in the firewall ruleset.

You can maintain a table of addresses, and check that with a single rule.
You can add and delete CIDR blocks and IPv6 prefixes without changing the
ruleset or restarting the firewall.  How you might do that is a non-trivial
problem.  How do you find all the IP addresses associated with a particular
domain?


More information about the freebsd-questions mailing list