# hostname in pf.conf



## swa (Feb 10, 2012)

Hello,

In pf.conf, with this entry everything is fine.

```
serverip="1.1.1.1"
```
If I change IP in name.domain.tld pf rules fail to load at boot.

```
serverip="name.domain.tld"
```

Probably pf rules are starting before DNS resolving is available, which is probably a good thing. Is there is a reliable solution for configuring FQDN's in pf.conf?

A workaround could be a cronjob like 
	
	



```
@reboot /bin/sleep 20 && /sbin/pfctl -f pf.conf
```
 but this feels crappy and might not be reliable. Another one is keeping entrys in /etc/hosts but doesn't make sense since I still have to administer the IP adresses.


----------



## CoTones (Feb 11, 2012)

Are you sure FQDN's are supported in pf?


----------



## kpa (Feb 11, 2012)

They are as long as they can be resolved trough the system resolver(3) at time of loading the rules. I have my hostnames in /etc/hosts so they are always resolvable. Swa's problem is that the rules are loaded before DNS resolvers are available and he uses names that are not in /etc/hosts.


----------



## CoTones (Feb 11, 2012)

Well then, after boot, run periodical script  that resolves names to IPs and writes them to pf table file.


----------



## swa (Feb 12, 2012)

Than*ks* for your answers. 



			
				CoTones said:
			
		

> Are you sure FQDN's are supported in pf?


Yes, I'm sure. If I manually (re)load pf rules everything is OK. 



			
				CoTones said:
			
		

> Well then, after boot, run periodical script  that resolves names to IPs and writes them to pf table file.


That I would like to avoid. I want the rules to be applied at boot, not after boot with cronjobs or scripts.


----------



## quintessence (Feb 15, 2012)

Hello,

What exactly are you trying to achieve?

I can place typical example:

You are running DHCP and you have dyndns hostname and you would like to allow access to your FQDN to some ports from some hosts, in this case ruleset should look:


```
ext_if="your_network_card"
pass in quick on $ext_if inet proto tcp from ip.ip.ip.ip to any port 80
```


----------



## swa (Feb 19, 2012)

Hi, 

I was trying to simplify things to not having to update /etc/pf.conf or /etc/hosts but only DNS address of the FQDN whenever an IP changes. I have some pf rules with restrictions to IP only.   

Example rules

```
rdr pass on $ext_if proto tcp from $server1_ip to $server2_ip port $server2_port -> $jail_int_ip
rdr pass on $ext_if proto tcp from $smtpserver to ($ext_if) port $sqlport -> $mailserver
```

In the end it's not a big problem but rather annoying to find out that rules aren't loading after reboot when I change $server1_ip to server1.domain.tld.


----------



## rghq (Feb 19, 2012)

And a workaround like loading first your rules with blocking everything, then by an own rc script loading the rest of the pf rules that require a working DNS?


----------

