Skip to content

DNS Forwarder, IP Pools, and pf Tables

This page documents the implemented t1n1wall workflow where DNS resolution can feed firewall policy.

What this feature does

  1. DNS forwarder (dnsmasq) resolves configured domains.
  2. Resolved addresses are inserted into configured IP Pools.
  3. IP Pools are enforced as pf tables in firewall rules.

This allows policy decisions based on DNS-resolved targets instead of static IP lists.

Where to configure it

  1. Create IP Pools and members in Firewall IP Pool pages.
  2. In Services > DNS forwarder, add IP Pool map entries:
  3. Domain/FQDN to monitor
  4. Target IP Pool
  5. Use that IP Pool in firewall rules as source or destination network.

How it is implemented (code behavior)

  • DNS forwarder config writes ipset=/domain/poolid entries.
  • Filter logic renders IP Pools as pf table definitions.
  • pf tables are loaded during filter apply.

Practical implication: if domain mapping is wrong or DNS queries do not pass through this firewall, policy matching will fail even when rules look correct.

Validation checklist

  1. Confirm domain mapping entry exists in DNS forwarder.
  2. Confirm clients use this firewall DNS forwarder path.
  3. Confirm firewall rule references the expected IP Pool.
  4. Confirm pf tables include expected resolved addresses.
  5. Generate test traffic and confirm expected pass/block logs.

Common failure cases

  • Domain typo or wrong scope (mapping not matching actual query name)
  • Clients using external DNS directly (bypassing local dnsmasq)
  • IP Pool not referenced by any policy rule
  • Stale assumptions about old ipfilter terminology instead of pf table behavior