Only allow certain ports to certain FQDNs

KOM

You can use aliases to represent an URL list.  Perhaps you could craft an Outbound NAT rule with an URL list aliases as the Destination?

Heli0s

Can I use wildcards in hostname aliases? So to represent all Google URLs, just use "*.google.com", and that would resolve for www.google.com, mail.google.com, drive.google.com, etc.

KOM

No, I don't believe so.  You will have to compile a list of every IP address or FQDN used by the services that you wish to block or redirect.  Someone else has an ongoing thread of IP addresses for all of Google video aka YouTube, Facebook etc.  Perhaps there is a known list of Gmail addresses that you can use.

Heli0s

Thanks for the help. Would it be correct to assume that if I add an alias to www.google.com and/or mail.google.com, drive.google.com, etc. (without wildcards) it will correctly resolve the IP addresses associated with these domains and sub-domains?

KOM

No, and you don't want to do that anyway.  Services like Facebook, Google, YouTube et al use load balancers and global CDNs.  Every time you do a lookup of www.google.com, for example, you can get a different IP address from the pool they have for that domain.

Heli0s

I understand. Out of curiosity, the Aliases and Hostnames help pages (https://doc.pfsense.org/index.php/Aliases) say the following:

For Host and Network type aliases, you can enter a fully qualified domain name (FQDN) instead of an IP address. The FQDN will be resolved by DNS every 5 minutes and updated internally. This can be useful for tracking dynamic DNS entries to identify sites or users that are unable to use a static IP.

Is that not what I'm trying to do?

KOM

Yes, but if you're using the resolved IP address to do anything, there is no guarantee that will be the same IP address even a second later.  For example, I just did an nslookup on www.google.com.  Here is what I got:

Non-authoritative answer:
Name:    www.google.com
Addresses:  2607:f8b0:400b:80b::1011
          74.125.226.147
          74.125.226.148
          74.125.226.144
          74.125.226.145
          74.125.226.146

Then I went to a DNS website and resolved www.google.com.  Here is what I got:

74.125.131.147

Yet another resolver gave me this:

Type Domain Name IP Address TTL
A www.google.com 74.125.227.144 5 min
A www.google.com 74.125.227.145 5 min
A www.google.com 74.125.227.146 5 min
A www.google.com 74.125.227.147 5 min
A www.google.com 74.125.227.148 5 min

So as you can see, the IP addresses are all over the place.

Heli0s

So what you're saying is that if I setup the system in the same way as the guide describes and it resolves an IP every 5 minutes, if within that 5 minutes window, the IP changes and I try to use that resolved IP right after, the connection will fail because the resolved IP that the firewall holds is different than the current IP of the FQDN?

KOM

Yes, that's what I'm afraid of.  If you instead use a list of IP addresses that all respond to your FQDN, one will always match unless they roll out new IPs.

Harvy66

The IPs your firewall gets may not be the same IPs your clients get.