Allow DNS binding through firewall

skeating · Dec 1, 2018, 2:25 PM

Hello

I am trying to allow people to access a mail server using a domain name as opposed to an IP address. So say I want them to use mail.domainname.com in the web browser, instead of the IP address. What change do I need to add to the firewall rules to allow this?

johnpoz · Dec 1, 2018, 2:37 PM

So you want outbound rule to allow access to port XYZ to mail.domain.com on your lan..

Create an alias, put in mail.domain.com and then use that alias in your rule.

Does this mail server IP actually ever change? Normally a mail server IP is pretty stable..

skeating · Dec 1, 2018, 2:43 PM

No the IP does not change. By port number I assume you mean port 80 and 443?

johnpoz · Dec 1, 2018, 3:15 PM

No a port number for a mail server going normally be say tcp 25 to send smtp, or 587 or 465.. All depends on the actual mail related protocols the client would be using to talk to said server.

What rules do you currently have on your lan? I am assuming you locked them down from the default any any rule that is default which allows all outbound traffic.

skeating · Dec 1, 2018, 3:59 PM

On the LAN I do have the default rule, since I only have the mail server behind it. My server has a private IP, so do I need to create a rule for the private IP to go out, then another WAN rule to allow the public IP to send email, using an alias?

johnpoz · Dec 1, 2018, 8:48 PM

So you want to HOST a mail server behind pfsense.. Which is a port forward.. WTF does that have to do with an alias for dns name?

skeating · Dec 1, 2018, 9:26 PM

Let me start over. When I test the binding in IIS for the name I want to use, I get a message from pfSense : "Potential DNS rebind attack detected" What do I need to do in the PfSense rules to allow the site to be seen/reached? This is for the web portal to access the mail server, which currently can only be reached by IP address. Also, I will be putting an SSL cert on the server, so which ports if any do I need to put rules in for?

Thanks

johnpoz · Dec 1, 2018, 10:34 PM

So you have a user out on the internet - lets say its me.. and you want me to hit a IP or FQDN (fully qualified domain name www.xyz.com) (your wan public IP of pfsense) and get sent to your server..

So out on the public internet you setup a record for whatever.domain.xyz to point to your pfsense public IP.. You then create a port forward for either 80 or 443 or whatever other service you want to forward be it 25 or whatever..

Now me on the internet puts in whatever.domain.xyz and it resolves to your pfsense wan public IP..

Not to offend or anything - but not even understand the basics of how someone resolves a name to an IP and how to get that behind a firewall router, these people really shouldn't even be thinking of hosting such services in the first place ;) Please do not take that the wrong way.. But if you do not get the basic concepts of hosting services behind a nat router/firewall - maybe you should have your IT dept or someone else be doing this for you..

And to be right up front with you hosting a email server is a big job - there are lots of things to worry about from security point of view when you make a email server available to the public internet, etc.. If you do not even know how to get the internet to resolve your email server - you sure an and the F should not be hosting one -- just saying ;)

skeating · Dec 2, 2018, 2:13 PM

No offence taken. I got pushed into this, and so it goes. I have gotten the issue resolved, with the port forwarding cleaned up. Thanks again.