DNS Forwarder Host Overrides and Domain Overrides

gus17

I am new to pfSense and am trying to gather info on the firewall that was setup by a previous IT contractor years ago. Facebook was blocked on our business network years ago and trying to gain access again. The only thing I can find on the firewall was under the host and domain overrides. They are setup for www.facebook.com with an IP address. Can I simply remove the override to regain access to facebook on the network?

johnpoz

If that is what is blocking it sure... There would be little reason to put in a host override for facebook other than blocking it.

What does the IP point to?

gus17

The IP does not show on the leases page. We had a static IP address up until about a year ago. It may be pointed to that???

johnpoz

@gus17 said in DNS Forwarder Host Overrides and Domain Overrides:

It may be pointed to that???

if its an override it would have an IP listed.. It has to that is what an override.. On your host override page, what do you see? That you feel an override was put into place?

Just delete it.. You can can always put it back... If if you can not get to facebook, and you have some override pointing to 1.2.3.4 then yeah that is prob problem..

gus17

I'll give that a try. Thanks for the help.

gus17

The IP address in the host override shows up under NAT port forwarding and rules and uses port 902 and 22???

johnpoz

So this IP is public or private? rfc1918 10.x.x.x, 192.168.x.x, 172.16-31.x.x?

Is it the dest IP in this port forwarding or or where the port forward is being sent too?

Its possible they setup www.facebook.com to point to some internal server to serve up a hey you can't go there sort of page.

Pointing it to your public wan IP would just be stupid! ;)

902 is port used by vmware, port 22 is ssh..

gus17

IP is private 192.168.x.x and shows as NAT IP in port forwarding and is the destination port under the rules heading. We were getting a "can't go there page".

johnpoz

@gus17 said in DNS Forwarder Host Overrides and Domain Overrides:

We were getting a "can't go there page".

Well yeah - they are hosting that page on that IP www.facebook.com resolves too..

Delete the override if you want to get to facebook.. You can not get to facebook if it resolves to some rfc1918 address.

gus17

I appreciate the help.
This is not my area of expertise, just trying to keep a small business moving forward.

johnpoz

@gus17 said in DNS Forwarder Host Overrides and Domain Overrides:

This is not my area of expertise

No offense ;) but that was clearly obvious - heheeheh

gus17

I figured it was on this forum.
I am learning as I go. I was able to get a RDP access setup!

johnpoz

@gus17 said in DNS Forwarder Host Overrides and Domain Overrides:

I was able to get a RDP access setup!

Through a vpn? I would never in a million years setup RDP from the public internet.. Do you have it locked down to a known source IP?

Even MS has came out and finally said its a bad idea.. And there are many security implications with doing it.. They even patched out of support systems because of the major exploit that came out last year.
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708

The best thing you could do for this company would make sure RDP is not open to the public internet, it that it is accessed in a secure manner - via a vpn, or locked down to specific source IPs of the people that need to access it.

And making sure any of their systems are currently patched..

gus17

I believe it was setup previously with static IP. It was setup in the NAT and rules for routing. I had to go in and put in a different IPv4 address for the workstation. It was routed through 3391.

johnpoz

Static IP on your end has nothing do with it.. Its the source IP!!! Who the user is - you would look it down to their IP..

Trying to hide the port isn't secure either... There really is no secure way to allow users to rdp into some machine on your network other than VPN.. Or locking down the connection to their know source IP..

gus17

I put int the public IP address 24.211.x.x. then : and port number. Port number routes to workstation 192.168.x.x then login password.

johnpoz

And that is not their IP... Anyone from the internet could hit that!

For example say I was one of your users.. And I needed to get to this RDP... You would lock the rule down to my IP 64.53.A.B - going to your IP 24.211.x.x only my IP could hit that, if they were coming from 64.53.A.C they wouldn't get forwarded.

You can create a alias that contains all the IPs of your users.. Which works when you know what the user IPs are.. Or they have dynamic IPs setup via ddns.. Where name say john.somedomain.tld gets update if my IP say changed to 64.53.A.Z

The simpler solution where you don't need to know the uses IP is setup a VPN... Where they have to have the credentials to auth to the VPN.. this is cert that you have issued them, and a username and password.. And ONLY once they have authed to the vpn can they even access the remote desktop box... And then they have to auth to that..

With how you have it setup - anyone from anywhere could hit your IP.. And try and access rdp - and once they see oh rdp... They can brute force trying to guess the username/password - or as with that issue I linked to there is some exploit they don't even have to auth..

Remote desktop open to the public internet is very risky!!! I would never suggest anyone do that! Ever!!! Changing your port and trying to hide doesn't really make it any more secure.. The old saying "security through obscurity is not security"

edit: I just looked - look at the hits to your "changed" port 3391

In the last 24 hours or so.. Those IPs are from all over.. That first one 185.151 is from russia.. that next one is from the netherlands... Trying to hide your port is not security.

I don't have that port forwarded, its just dropped by pfsense (it doing its job).. But my point is showing that there is plenty of bad stuff out there looking for stuff you have open trying to do bad stuff..

gus17

I understand. I will have to do some research on the VPN and what it will take.
I keep hearing how expensive setting up VPN's can be.
RDP was pretty easy, but I see the security concerns it can create.
I appreciate the honest assessment.

johnpoz

@gus17 said in DNS Forwarder Host Overrides and Domain Overrides:

I keep hearing how expensive setting up VPN's can be.

Huh? Pfsense is your vpn server, does it out of the box.. All you need to do is set it up.. Clicky clicky ;)

https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/openvpn-remote-access-server.html

Here is video netgate put out pretty recent
https://www.youtube.com/watch?v=jQHqPq7ftz4

Depending what exactly your users are doing - you might not even need them to rdp to anything... If they are just accessing say some file shares or whatever.. A vpn lets the user be like they are on the local network - just a bit slower because you constrained be the speed of the sites internet connection, and or the remote users connection..

gus17

Going through OpenVPN setup wizard?