Allowed Hostname Wildcards
-
Hello,
i have the same problem as described here: https://forum.pfsense.org/index.php?topic=44264.0
f.e. Microsoft recommends to allow these addresses to make Windows Update work behind a captive portal:
http://.update.microsoft.com
https://.update.microsoft.com
http://download.windowsupdate.comIn the other thread, cmb spoke about a solution which never made into the release version since 4 years?
-
The allowed hostnames are resolved and put into a table to bypass the portal. Wildcards cannot be resolved in that way, so they won't function.
There was a DNS proxy of sorts in the works years ago, but it never did make it into a release.
-
How about allowing aliases for ips that are on the Allowed IP Addresses page? Then you can use a script like:
whois -h whois.radb.net – '-i origin AS32934' | awk '/^route:/ {print $2;}' | sort | uniq > /var/www/resource/facebook.txt
and then pull this file as a table. I'm sure there's a way to do the same with nslookup as there is with whois. -
how to get the value AS32934 for facebook.com? It#s from the whois infos?
-
https://doc.pfsense.org/index.php/Blocking_websites#Using_Firewall_Rules
-
let me ask in a different way: how to get the origin-value for a domain?
-
Domains themselves do not have AS numbers, specific networks do, more information can be found here: https://en.wikipedia.org/wiki/Autonomous_system_(Internet)
That being said, here is a link to a lookup tool that may be of help to you:
https://www.ultratools.com/tools/asnInfo -
pfBlockerNG has built-in support for ASNs. You can define them as "alias type" and use the created Aliastable as required.
-
That is a very interesting thread about just using the IPs from the original DNS queries to populate wildcard aliases that matched. Very neat idea. I wonder if the data was taken from the DNS logging or if it was sniffed.
-
So, if there are many ways to create this data in an alias, what would the possibility of being able to specify these aliases for CP bypass?
-
CP doesn't work with pf. Aliasses in the webGUI are designed to pf
CP is based on ipfw to have the L2 features it has. no gui is currently available to create ipfw aliasses.
