How to apply ipfw rules to domains that resolves to multiple IPs?

2

1

Suppose I wanted to use ipfw to throttle uploads to youtube. The uploads are made to upload.youtube.com but this domain resolves into multiple different IPs (which also appear to change over time).

Trying to create a rule for the domain results (viewed through ipfw list) in an entry connected just to the first IP to which the domain resolved to.

How could I get my rule to automatically apply to the domain, with all of its IPs as well as future IPs to which it will resolve to?

GJ.

Posted 2014-08-15T13:27:11.850

Reputation: 8 151

Answers

0

Given that ipfw works at Layer 3, it is virtually impossible to do this (outside of manually hunting down each IP upload.youtube.com uses).

pf on the other hand appears like it would do the job splendidly, as it allows for domain-based matching on either source or destination, and makes use of queues to rate-limit traffic either by setting specific rates (class based queues) or by priority (priority based queues).

Your syntax will vary based on which particular version of pf you have installed (which apparently varies heavily from BSD to BSD and from version to version on top of everything). Here you can find an out of date article that should at least help with the concept side of what you're doing, but ultimately, man pf is what you'll need to figure out exact syntax. A couple of example config files are found here. Best of luck.

0xDAFACADE

Posted 2014-08-15T13:27:11.850

Reputation: 706

This answer of course assumes you're using a BSD variant, which I presume you are due to your attempts with ipfw. It appears not to be an option for Linux, so if my assumptions are incorrect, don't kill yourself trying to find it. Shorewall would do the trick on Linux if necessary. – 0xDAFACADE – 2014-08-15T19:51:38.077

After going ahead and crafting this answer for you, I stumbled across this. It looks like you might actually be able to handle this with ipfw after all, by running your traffic through snort_inline. After a good few hours of hunting for this, I'll leave it to you or someone else to figure the specifics out, but figured it's worth mentioning in case you really are tied to ipfw and migrating to pf isn't an option.

– 0xDAFACADE – 2014-08-15T20:31:27.837

Asked: 2014-08-15T13:27:11.850

Viewed: 230 times

Active: 2014-08-15T20:14:53.970