Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Is there a way create domain based rules or aliases? (i.e. to allow windows update *.domains.com)

    General pfSense Questions
    3
    3
    104
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      Jpub last edited by

      From what I see it would seem like I could run a script somewhere outside of pfsense environment once per day to do lookups on a list of domains and > output the list of ips associated with them as windowsupdate-ip-list.txt and then use the URL based rules to pick up that list.

      Just wondering if there an easier way to do this where those lookups happen auotmatically without need for manual scripting outside of pfsense?

      Thanks

      1 Reply Last reply Reply Quote 0
      • Derelict
        Derelict LAYER 8 Netgate last edited by

        You are going to do DNS queries for every-possible-host-name.domains.com?

        And maybe every-possible-host-name.every-possible-subdomain.domains.com?

        Repeat until nauseous.

        That is what it would take to implement what you are positing.

        Chattanooga, Tennessee, USA
        The pfSense Book is free of charge!
        DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • awebster
          awebster last edited by

          @Jpub, Windows update uses a list of well known domain names, easily found by searching for it, however, what you want and how pfSense works are not quite an exact fit.
          pfSense provides layer 3 firewalling capabilities, which means by IP and port only. A URL is a wholly different beast as the IP isn't immediately known, only the name, and based on your initial question, you know that some of the URLs contain wildcards, eg: *.update.microsoft.com, meaning Microsoft is free to put anything in place of the *.
          To further complicate matters, many of these URLs resolve to CNAMES which in turn resolve to Akamai's IP addresses, so trying to block / allow by IP will also affect other traffic that coincidentally is also hosted on the same Akamai infrastructure.

          There are a couple of ways you could address this issue:

          • Use a proxy server; in this case the proxy server actually sees the URL so access control can be applied on the URL's name as opposed to its IP address. The firewall can be configured to allow the proxy server out, but not the workstations, thus forcing the traffic through the proxy server.
            Caveat: Not all software plays nice with a proxy server.

          • Use a WSUS server; in this case a system is dedicated to downloading the windows updates and making them available to the local machines. In this case, the firewall can be configured to allow the WSUS server access out while maintaining a more strict access policy toward the Internet.

          –A.

          1 Reply Last reply Reply Quote 1
          • First post
            Last post