Re: Using blocklistd, and a bind plugin, to manage allowlists?

[christos%astron.com@localhost (Christos Zoulas)]

In article <1f82a10b-5ce1-4b00-9142-97873d038070%hhhh.org@localhost>,
Konrad Schroder  <perseant%hhhh.org@localhost> wrote:
>Hello all,
>
>At $WORK I have a collection of scripts that attempt to allow certain 
>hosts through the firewall by name; that is, they periodically look up 
>certain hostname(s) and use the results to populate an NPF table.  These 
>table is used to allow local hosts to make *outbound* connections to the 
>desired hosts; inbound connections are (generally) not allowed at all.
>
>We've run into a problem recently where the round robin lookup for one 
>of the hosts turns quickly enough that several subsequent DNS lookup all 
>return different IP addresses. It may be that *every* DNS query returns 
>a different subset of hosts, and of course I can't make that work with 
>my current strategy.  With outbound connections, however, a connection 
>attempt will always be preceded by a DNS lookup of the address it will 
>then connect to, so in theory there is an opportunity to update the 
>table on the fly.  It should be almost trivial to construct a name-based 
>firewall for outbound connections using a plugin to named(8) that 
>communicates with blocklistd(8), using a blocklist rule that adds the 
>hosts to an NPF table for *allow* rather than blocking them.  It seems 
>so trivial that someone must have done it already, but googling around 
>didn't turn anything up.
>
>Is there a better way to set up a name-based firewall on NetBSD?  Is 
>there a package that I missed that already does this?  If I do it 
>myself, the packet format that blocklistd uses is private; is it 
>possible to expose it in a header for other applications to use?

Nobody has done it, but as you say, it should be trivial to add ;-)

christos