No access to webinterface "Potential DNS Rebind attack detected" since July/3
-
Sorry, I tried everything on the git page you linked and got nothing but errors. I also made my filesystem writable first but no dice.
-
ah, on nanobsd that doesn't work so well.
You'll have to wait for the next new image. I stopped a build in progress since it didn't have these changes, and started it again. It will probably be late this evening when it uploads the nanobsd images.
Or you can download an updated copy of /etc/inc/auth.inc:
# /etc/rc.conf_mount_rw # fetch -o /etc/inc/auth.inc http://redmine.pfsense.org/projects/pfsense/repository/revisions/master/raw/etc/inc/auth.inc # /etc/rc.conf_mount_ro -
I'll try the next snapshot then. Is there some cleanup I need to do in my filesystem after attempting to install git? I don't see anything glaringly out of place in /root or /tmp.
-
I'll try the next snapshot then. Is there some cleanup I need to do in my filesystem after attempting to install git? I don't see anything glaringly out of place in /root or /tmp.
Not really, it might leave some files in /root/pfSense/ you can safely remove.
-
Hi again,
tried the 6th June Snapshot, still the same issue.
Cannot access the webinterface from wan by its ipaddress nor hostname. DNS Rebind…
I'll try next snapshot when it comes available. -
Jim made the change around 3.5 hours ago; not long enough to be in the latest build. The next snapshot will be the true test.
-
Yes, I'm excited already ;)
BTW: was just referring to "Have you tried with a snapshot from the 5th or preferably the 6th?"
-
Especially since I had to stop the builder and restart it again, we found several more bugs and cases to test for in that code.
If you need the fixes, pull in the code with the fetch command I mentioned above and it should be OK.
-
Hey, thnx very much.
I for myself will stick to 30th June Snapshot in the meanwhile.Thnx for all the hard work!
-
This may be a Potential DNS Rebind attack not an issue with pfsense. Do an nslookup or dig of google.com or twitter.com Use multiple DNS servers other than your own as well as the router.
-
This may be a Potential DNS Rebind attack not an issue with pfsense. Do an nslookup or dig of google.com or twitter.com Use multiple DNS servers other than your own as well as the router.
No, we actually added a bunch of code to protect against DNS rebind attacks that would affect the web interface, but the checks needed some work. They should be OK in the next snapshot that comes out.
-
If you have an account at OpenDNS.com (and not just using their forwarders) you can have RFC1918 responses filtered out automatically, effectively disabling all DNS rebind attacks.
-
@kpa:
If you have an account at OpenDNS.com (and not just using their forwarders) you can have RFC1918 responses filtered out automatically, effectively disabling all DNS rebind attacks.
There is a checkbox in the current repo code to disable these checks entirely if you want :-)
-
Hi again,
just to let you know: the current snapshot 20100706-2143 still doesn't allow me to access the webinterface via its ip address nor hostname :(
-
@mxx:
Hi again,
just to let you know: the current snapshot 20100706-2143 still doesn't allow me to access the webinterface via its ip address nor hostname :(
What type of snapshot or update file is that? I'm not seeing any files with that timestamp.
Are you running the GUI on a standard port? Any kind of port forwarding involved?
Does it work after you do the fetch command I mentioned earlier in this thread?
-
I used http://snapshots.pfsense.org/FreeBSD_RELENG_8_1/i386/pfSense_HEAD/updates/pfSense-Full-Update-2.0-BETA3-20100706-2143.tgz
That's the latest one I've found.
I'm running the webif on a non standard port (5556). No port forwarding at all.
Sorry didn't try to download the inc file manually as I thought it would already have been built-in in this Snapshot.
I'll give that a try now!
Thank you!
-
It's possible that the snapshot didn't get all of the changes we checked in, I don't remember when it was started.
-
That snapshot does have the code for letting you in with the GUI on an alternate port, and I can put my WebGUI on that port and it works fine.
Is there something else different about how you access the GUI? A proxy involved somehow?
-
Okay after that it does work when I use the wan ip to connect.
When I use the hostname I setup for that ip in our dns server hosted externally, it does not.
It's quite bothersome to differentiate all the ip addresses used by different boxes and 2 pfsense firewalls that's why I set them up..Will this also get fixed or would I have to disable the feature completely?
You mentioned a switch to turn it off, could you please tell me where I can find it?Thanks!
Edit: no proxy, really standard config.. really strange.. accessing it by its ip address before I pulled the file didn't work at all, though I cannot say for sure whether it was a browser cache issue, sorry. However access by using the ip address works, but not with its hostname.. though this hostname is fully resolveable…
Edit: ok, I'm sorry, the error might be that pfsense's locally configured fqdn doesn't match the forwarding in the external dns server, what do you think?
Edit 3: But the problem is that this fqdn isn't possible to be resolved it's just a local domain...
I'd really like to be able to access each of its wan if ips by hostname forwardings..
May changing its hostname afterwards have any possible negative impacts on anything? Haven't installed tinydns.. ? -
We already thought of just that scenario. :-)
Go to System > Advanced, on the admin tab. Put your custom hostname in the "Alternate Hostnames" box.
