|
Unix VPS
Support
FAQ
Network
Miscellaneous
|
| SRV2PF(1) | User Contributed Perl Documentation | SRV2PF(1) |
NAME
srv2pf - Create and update PF tables from DNS recordsSYNOPSIS
srv2pf [-46Fnpv] [-f file] -t table name[:service[:transport]] [...]DESCRIPTION
The srv2pf utility creates and updates PF address tables based on DNS records.For each name specified on the command line, the srv2pf utility performs a DNS lookup for SRV, CNAME, A and AAAA records. The right-hand side of any SRV and CNAME records encountered are resolved recursively.
If no errors occured during this process, a PF address table with the name specified on the command line is either created or updated to match the list of IP addresses that were found. If the table already exists, its contents are replaced with the list that was obtained from DNS, unless the -p option was specified, in which case the table is treated as append-only.
The following options are available:
- -4
- Include IPv4 addresses in the table. If neither -4 nor -6 is specified, the default is to include both IPv4 and IPv6 addresses.
- -6
- Include IPv6 addresses in the table. If neither -4 nor -6 is specified, the default is to include both IPv4 and IPv6 addresses.
- -F
- Never flush a table. If a DNS lookup does not return any results, assume that something is wrong and terminate without updating the table or file.
- -f file
- Save the addresses to a file in addition to updating the table. If file is a directory, the addresses will be stored in a file bearing the name of the table within that directory. The file is written out before the table is created or updated. Failure to write the file will generate an error message but will not prevent the table from being created or updated.
- -t table
- The name of the table to be created or update. This option is mandatory.
- -n
- Perform all LDAP and DNS lookups, but do not create or update any PF tables or files.
- -p
- Preserve existing table entries even if they are not encountered in DNS
lookups. Implies -F.
This does not apply to the file generated with the -f option, which will only contain the addresses retrieved from DNS.
- -v
- Show progress and debugging information.
Each subsequent argument is either a DNS name or IP address, or a service specification consisting of at least two and at most three items, separated by colons. The first item is a DNS name. The second is a comma-separated list of service names, which defaults to http,https. The third is a comma-separated list of transport protocols, which defaults to tcp. At least one service specification must be provided.
EXAMPLES
Update a table named ldap used to allow traffic from the organization's internal network to its LDAP servers:
% grep -w ldap /etc/pf.conf
table <ldap> persist
pass in on int proto tcp from int:network to <ldap> port { ldap, ldaps }
pass out on dmz proto tcp from int:network to <ldap> port { ldap, ldaps }
% sudo srv2pf -pv -t ldap example.com:ldap:tcp
# looking up SRV for _ldap._tcp.example.com
# looking up dc01.example.com
# dc01.example.com. 50339 IN AAAA 2001:db8:0:42::dc1
# dc01.example.com. 50339 IN A 198.51.100.221
# looking up dc02.example.com
# dc02.example.com. 302 IN AAAA 2001:db8:0:42::dc02
# dc02.example.com. 128 IN A 198.51.100.222
# looking up example.com
/sbin/pfctl -t ldap -T add 198.51.100.221 198.51.100.222 2001:db8:0:42::dc01 2001:db8:0:42::dc02
No ALTQ support in kernel
ALTQ related functions disabled
4/4 addresses added.
SEE ALSO
pf(4), pfctl(8)AUTHOR
The srv2pf utility was written by Dag-Erling Smørgrav <des@des.no> for the University of Oslo.| 2021-10-10 | perl v5.32.1 |
Visit the GSP FreeBSD Man Page Interface.
Output converted with ManDoc.