Is there a way create domain based rules or aliases? (i.e. to allow windows update *

  • From what I see it would seem like I could run a script somewhere outside of pfsense environment once per day to do lookups on a list of domains and > output the list of ips associated with them as windowsupdate-ip-list.txt and then use the URL based rules to pick up that list.

    Just wondering if there an easier way to do this where those lookups happen auotmatically without need for manual scripting outside of pfsense?


  • LAYER 8 Netgate

    You are going to do DNS queries for

    And maybe

    Repeat until nauseous.

    That is what it would take to implement what you are positing.

  • @Jpub, Windows update uses a list of well known domain names, easily found by searching for it, however, what you want and how pfSense works are not quite an exact fit.
    pfSense provides layer 3 firewalling capabilities, which means by IP and port only. A URL is a wholly different beast as the IP isn't immediately known, only the name, and based on your initial question, you know that some of the URLs contain wildcards, eg: *, meaning Microsoft is free to put anything in place of the *.
    To further complicate matters, many of these URLs resolve to CNAMES which in turn resolve to Akamai's IP addresses, so trying to block / allow by IP will also affect other traffic that coincidentally is also hosted on the same Akamai infrastructure.

    There are a couple of ways you could address this issue:

    • Use a proxy server; in this case the proxy server actually sees the URL so access control can be applied on the URL's name as opposed to its IP address. The firewall can be configured to allow the proxy server out, but not the workstations, thus forcing the traffic through the proxy server.
      Caveat: Not all software plays nice with a proxy server.

    • Use a WSUS server; in this case a system is dedicated to downloading the windows updates and making them available to the local machines. In this case, the firewall can be configured to allow the WSUS server access out while maintaining a more strict access policy toward the Internet.

Log in to reply