Routing to Resources using Hostnames
-
BTW - ForumAdmins, if this post is readable that's great but the preview is not working, only smilies are visible.
Hello,
Am evaluating pfSense, looks interesting.Question:
Does pfSense support routing using Hostnames?Searching the forums, I can only find one unresolved thread early last year (2008) when the OP wanted to block URLs and therefor needed to write a rule or create a custom routing rule based on the URL/Hostname of the remote website. A bounty was offered but I don't see a followup.
Also, it's common today to share multiple websites on a single public IP address using Hostname Resolution to direct to the proper website. Ideally a firewall should be able to create custom rules for the inbound traffic based on the Hostname of the published resource (usually website).
According to the pfSense documentation and the v1.2.3 VMware VM, it looks like the GUI tools at least do not support writing rules based on the Hostname, only the IP address.
I was talking to a friend the other night about this, and he uses "regular" pf running on OpenBSD, and he says that Hostnames are supported in rulemaking, but of course (totally expected) since every time the rule is invoked a call is made to resolve the Hostname to an IP, this creates plenty of overhead.
Unlike the thread in these pfSense forums last year which suggested creating a lookup table which would be created and could only be updated when the pfSense firewall starts up, I would think that it should be better to do "on demand" lookups like (regular) pf, but create a cacheable lookup table in RAM (possibly on a tiny ramdisk if necessary). The result would be a lookup totally in RAM and mappings would only have to be created dynamically once (unless you want to expire the records).
Short of putting everything in RAM, if pfSense is based on the same routing engine as pf, then I'd expect that rules using Hostnames should already be supported, so even if the pfSense GUI doesn't support it should be possible to manually edit the rules using a console.
??? Last thought - I'm wondering if a workaround is to install the Squid package, but in that case I wonder what order packets would be evaluated. Seems to me that this would be an option only if Squid routes before pfSense applies firewall rules, if pfSense applies rules first then this won't work.
TIA,
Wondering what others are doing… -
You could use Squid as a reverse proxy/accelerator to do that.
As you said, using hostnames adds a massive, non trivial, overhead and potential delay.
-
Rules based on hostname do not work in the 1.2 tree.
-
@Cry:
You could use Squid as a reverse proxy/accelerator to do that.
As you said, using hostnames adds a massive, non trivial, overhead and potential delay.
Thx,
As I noted, when Squid is installed on the same box as pfSense, if it doesn't evaluate packets in front of the firewall then it's not a workaround (if possible at all would have to be configured on a different box).Also, if Hostname lookups were to be done along the lines of what I suggested then overhead should be at least manageable… it avoids bottlenecks of hitting the disk and requires a DNS query only initially. Utilizing a simple lookup table/array in RAM would likely be so fast and require few CPU cycles to the point I don't know if indexing would be necessary.
Anyway, thx all... I'll ponder the issues if I decide to trial before the next major version of pfSense...