Guest Network Firewall Rules
-
I did some configuring and I was able to block all local resources then I went and added a rule to allow a NAS storage box which is working but when I add the top rule which aliases a hostname it allows more than just that hostname to be accessed. I assume this is because I am using a reverse proxy.
-
Do the hostname(s) in the alias resolve to private IP space or your WAN address (or VIPs)?
Also, why are you using public IP space for your LANs? 17.0.0.0/8 is owned by Apple, I believe.
-
You are passing and blocking TCP only.
-
They resolve to a private IP. which is an Nginx server setup as a reverse proxy, which then accesses the server the service is running on. For example, the media server runs on 17.2.39.186 and uses port 8096. The reverse proxy is at 17.2.39.112 and redirects to the media server. This allows me to use SSL on all internal sites and also hide port numbers for a cleaner look.
Derelict - Ill change to any protocol vs just TCP
-
Now your actual problem is that you say you can access more than just that hostname. If you can get to the proxy then what happens after that is the proxy's concern. pfSense just relays the packets between the networks. Can you give an example of what you mean and what happens?
-
So, for instance, I want to allow my roommate to watch videos from the media server but they should not have access to my mail server which is at mail.local.domain.
I am not sure if setting up a Split DNS is the key and have 2 separate reverse proxies setup is the answer or how I would go about limiting access to other hostnames that are reverse proxied.
when I added the rule to allow media.local.domain it allowed that through but also mail.local.domain which both runs to the same reverse proxy
-
I guess you have to have some way via proxy config to limit his access to destinations based on the clients IP address. pfSense has no knowledge of domains and URLs, just IP addresses and packets.
-
You will need to do that in access lists on the proxies.
pfSense can filter on IP addresses, not host names in an HTTP session.
-
Thanks, Derelict I will look into how those are configured later this week.
-
I had a chance to test out access lists in Nginx and it worked perfectly, I added a deny line to the configuration for that particular domain/subdomain and it was blocked for the specified network. The next question I have though it the best way to set up the firewall rule in pfSense
I created a rule to allow access to the NAS system I have that is located at 17.2.39.32 and that works but when I add a rule that uses an alias it only allows access when a subdomain is used that goes to that proxy server such as movies.local.domain. when I just use domain.local or the IP address (17.2.39.112) of the reverse proxy it still gets blocked by pfSense. Should I just make a subdomain of guestnetwork.local.domain and have it goto the reverse proxy that just redirects to the main site for that proxy so that I can get control access from within Nginx?
