On Wed, 02 Jan 2008 17:38:49 +1100, PBW wrote:

> I've been using PF to manage a HTTPS whitelist, but am running into
> problems. Using the rule below it works well with most things. However,
> the login.live.com (used for Hotmail) results in timeouts. When I
> restart PF its fine, which leads me to believe that the lookup is done
> when the rules load.

Yes, PF only deals with numerical IP addresses. When you use symbolic
host names in pf.conf, that's just syntactic sugar which pfctl
resolves once on ruleset load time.

> pass out log on $ext_if proto tcp from $ext_if to { www.snort.org,
> login.live.com, ...and so on } port 443 keep state
>
> My question is: is there an elegant and robust way to perform
> whitelisting with PF?

If you think it would be elegant if PF would do DNS lookups
at run-time from kernel or could do layer 7 inspection, I would
disagree

IP-based filtering is not perfect for this case, as a host name
can resolve to a dynamic list of IP addresses over time. You can
reload the ruleset to trigger re-resolution regularly, but there's
no guarantee that a name server will return the same (or even a
similar) set of addresses for two subsequent lookups.

Furthermore, you're matching too broadly. Two completely unrelated
services could be hosted on the same IP address (like www.snort.org
and www.pr0n.com could reside on the same IP address). You'd either
block too much or too little.

You might find that a layer 7 proxy like squid[1] is much more
appropriate for the task. You can use it in transparent mode
with PF redirecting clients to it without their cooperation.

Daniel

[1] http://www.squid-cache.org/