Ignore any IP not resolving to a trusted domaine

johnpoz

@wastapi if there is no rule to allow the traffic, then any packets sent to your wan IP would just be dropped.. So nobody would get any responses from your IP, unless traffic is allowed via your port forward.

Wastapi

Thanks @johnpoz,
The only allow rule on my WAN is to allow my open VPN see image:

But in my Firewall logs I still see SO MANY of the following on random ports:

• Block private networks from WAN block 10/8 (12001)
• Default deny rule IPv4 (1000000103)

I understand these did not go through. But I just want those to be ignored 100%. Just don't tell me about it, I want to ensure these hackers don't know I exist at all. ;)

But back to my main question: Even on my OpenVPN 1221 port, if your IP is not linked to a known FQDN alias, the port should not even respond. Black hole. The port is not open for them.

Thanks again!

johnpoz

@wastapi yeah firewall logs noise it sees ;) doesn't mean it answers.. There is lots of noise on the internet.

You can turn off logging for those default rules if you don't want stuff logged.

Use the alias in your firewall rule for the openvpn if you only want your fqdn ips from your alias to access it.

Wastapi

@johnpoz
LOTS of noise indeed. I just don't want to echo anything. I want to be a blackhole! ;)

As for Alias setup with the FQDN, I seem to need help. I don't want to break anything. Can you point how I would make this Rule only listen to IPs to which these FQDN resolve?

Here is my Alias setup

Here is my Rule setup

johnpoz

@wastapi see where it says source any - change that to single and put in your alias..

example here is one of mine

Wastapi

@johnpoz ok I see! Great! You really helped me there.

1-Can I add multiple Aliases as source? Comma separated? Or it is preferable to have one rule per alias should I have multiple for other more granular usage?

2-Where do I control how often the pfsense DNS is updating the resolution of my FQDN domains in my Alias?
Where are the setup for this?

Thanks!

johnpoz

@wastapi by default it updates every 5 minutes.. Which really should be fine for such a thing..

as to multiple aliases in same rule, I don't think so.. You can use the same alias in multiple rules. And you can sort of nest some alias types into a bigger one.

But always better to be granular as possible if you ask me.

Wastapi

@johnpoz Ok, will look into this.

Just to be clear as I am doing these changes over my Open VPN connection (not onsite now). I don't want to be locked out and have to drive to office! ;)

• I define these dyndns fqdn Aliases as HOSTS right? like in my original screenshot.
• And in my WAN rule (which comes from the OpenVPN VPN wizard), I replace the SOURCE to Alias with my alias as you did
• as for the Destination I leave it like this?
  

Thanks!

johnpoz

@wastapi well to make sure you don't lock yourself out... You could always create a rule that allows your current IP to the gui directly from the IP... That way you would be able to get in, even if you mess up your vpn access, etc.

I always put in some sort of out of band access when doing anything that could lock me out ;)

Also good check is put that alias into some dummy rule, so it gets evaluated. Alias do not get resolved unless in a rule.. And then check your tables under diagnostic to make sure the IPs are in there for those fqdn..

example

Wastapi

@johnpoz
mmm. Right. not sure how this rule should be performed though.
Sorry for the Newbe stuff. :/

johnpoz

@wastapi what rule a gui access rule? Just allow on your wan to wan address on port your gui is running on, and then the IP your currently coming from as source..

Validate that works before you mess with your vpn rule.

Wastapi

@johnpoz
Sure! But then how will I test that my new alias setup is working as I now have a rule that allows my IP through anyway?

johnpoz

@wastapi -- look in the table to make sure its showing the IPs, etc.

Your other rule is for vpn, not direct access to the web gui via the wan IP.. Completely different modes of connecting..

Wastapi

@johnpoz Yes, but as I am on the same IP, the VPN still works. So even disabling the Open VPN rule does allow me to connect as the IP is allowed 100%.

So I guess I should limit the ports on the new temporary rule to JUST allow the 80 port for the GUI? Or other ports too?

Thanks!

johnpoz

@wastapi huh?? Create your web gui port rule and access it.. via your public IP, you wouldn't be going down the vpn to get ot your pfsense wan IP..

Wastapi

@johnpoz Ok so I should understand from your last reply that the temporary IP assigned "Web GUI rule" should not be on all ports (.) but only 443?

johnpoz

@wastapi is your web gui using 443, then yeah.. Mine uses 8443 for example..

Wastapi

WOHOOOO!!! It works! :) :)
Thanks a lot @johnpoz !

Wastapi

@johnpoz
I have an issue. It seems that ANY IP can connect to the open VPN now, even if they are NOT in the alias pool.

I have put the said rule on my WAN interface.
Should I also put it on my openvpn interface?

I would have expected my WAN to simply block it if not in the alias pool, and for the traffic NOT to reach the open VPN because of that.

Thanks for your continued help.

johnpoz

@wastapi without seeing your rules I really can not even guess to what could be going on.

But you can validate what is in the alias via the diagnostic / table menu. For something to talk to your openvpn service listening on your wan IP.. You would need a rule on your wan to allow it. The rules in your openvpn interface would be for what traffic is allowed via that interface - not for connecting to it from wan.