DNS based rules requirements
-
After an upgrade to 2.4.4 and a reboot my DNS based firewall rules no longer work. Can anyone confirm if unbound being in forwarder mode breaks DNS based firewall rules?
-
Without mentioning these rules and unbound settings ?
-
So I have a rule on wan that says allow connection on port 80 from "WAN_ADMIN"
WAN_ADMIN alias is to www.host.org
This rule will work if created while the firewall is up, but when it reboots, the rule no longer works. If I delete and recreate it, it will work, and fails again at the next reboot.
-
Look in your Diagnostics/ Tables for the alias your using... What does it show for this www.host.org IP?
-
This rule is used to "admin" from the WAN side ?
Are you saying that www.host.org isn't resolved for you when pfSense restarts ? You checked the logs ? filterdns (the process that converts FQDN's to IP's) will log over there.
lol, ok, anyway, what @johnpoz said ^^
-
So the table page for that alias is blank.
I can't see anything in the system log for filterdns :/
I do however see that IPSec tunnels fail to come up with an error that the remote endpoint hostname could not be resolved when the system reboots.
-
Well if you can not resolve whatever it is in your alias than your table is going to be empty and your rules using thos aliases not going to work.
You forward to what exactly? You point pfsense just to its loopback? your going t have to go into some more details of your setup.
-
Sorry, I had unbound set in "forwarder mode", I have unset that and it is having no impact.
nslookup for the hostname works as expected.
Tables entry for the WAN_ADMIN alias still show empty, even after adding 4 hostnames to the list.
-
Actually, I have aliases on another box that have both hostname and IP addresses, and only the IP addresses are showing in the list under diagnostics -> tables. It is also on 2.4.4.
On another SG-3100 I have the same wan-admin access rule. It is running 2.4.3 and under diagnostics -> tables it does list the resolved IP address.
-
@bruor said in DNS based rules requirements:
nslookup for the hostname works as expected.
From where to where? Is pfsense pointing to itself for dns?
-
PFsense is set to use the unbound instance on itself to resolve hostnames.
If I go to diagnostics -> dns lookup the names used in the rules resolve OK
-
And if you run
ps -ax | grep filterdns
[2.4.4-RELEASE][root@sg4860.local.lan]/root: ps -ax | grep filterdns 27088 - Is 0:00.00 /usr/local/sbin/filterdns -p /var/run/filterdns.pid -i 300 -c /var/etc/filterdns.conf -d 1 6137 0 S+ 0:00.00 grep filterdns [2.4.4-RELEASE][root@sg4860.local.lan]/root:
You see filterdns running?
-
There's the issue, it's not starting after the upgrade it appears.
There is also no /var/etc/filterdns.conf file.
-
well if filterdns not running then no your aliases not going to resolve.
Sure your aliases set to hosts(s).. Your not seeing anything in the log about it failing to run?
-
Which log area would I even check for that?
-
I've confirmed that filterdns is not running on 3 of the system I administer that have been upgraded to 2.4.4. 2.4.3 systems seem to be fine.
/var/log/system.log has nothing in it for filterdns
-
Bump up the debug... Guess if not running could be related to
https://redmine.pfsense.org/issues/8758 -
I don't think so, I can't even manually start it...
[2.4.4-RELEASE][admin@pfsense]/root: /usr/local/sbin/filterdns -p /var/run/filterdns.pid -i 30 -c /var/etc/filterdns.conf -d 1 filterdns: open file
-
s your .conf not here?
-
On a system that was running 2.4.3 previously there is a config on disk, on a 2.4.4 while setting up a fresh rule with a DNS based alias, no file exists. The config seems to just contain the table entries.
On that the system where the config file exists, a manual launch looks like this.
[2.4.4-RELEASE][adrien@pfsense]/: /usr/local/sbin/filterdns -p /var/run/filterdns.pid -i 30 -c /var/etc/filterdns.conf -d 1 filterdns: Could not open device.