Allow Subdomains of a domain
-
I have a guest network, that only allows a handful of TCP ports for web and E-Mail (wich also works for most messengers).
Now I would like add the possibility to use Signal Messenger for voice calls.As described on their website, I should allow all UDP traffic to *.whispersystems.org and *.signal.org.
As I understand, pfsense firewall rules can only contain IPs and FQDNs via aliases.
How is it possible to tackle this kind of rule that needs to allow traffic to all subdomains of a certain domain?
-
@silmaril That's going to be difficult. pfSense filters based on IP address, port & protocol as you've found. You're left with compiling a list of all IP addresses used by all subdomains of whispersystems.org and signal.org. Plus, with load-balancing each of those domains may resolve to many IP addresses. Not an easy task. Is this a home guest network? If so, why are you locking it down so tightly?
-
@kom said in Allow Subdomains of a domain:
why are you locking it down so tightly?
I would have the same question to be honest. Guest network is almost always isolated from your other network(s).. So who really cares where they go, you could just use same filtering you do for your own network to help prevent malware, bad stuff sort of thing.
One thing that comes to mind is maybe to keep these guests from sucking all your bandwidth. That might be better accomplish by just rate limiting the amount of bandwidth the guests can use from your total available bandwidth.
From what I read on the signal site, I think the wildcards are more suited if using a proxy. They state since the IPs change that firewall rules could be difficult, but suggest to fqdn that could be used.
The underlying IPs are constantly changing, so it'd be hard to define accurate firewall rules. If the wildcard FQDN config is not working properly and you notice issues with calling, allow turn2.voip.signal.org and sfu.voip.signal.org. These are subject to change at anytime. -
Maybe you are right and filtering too much in the guest network is not really the way to think about this.
Separating it from the main network is the really important thing here.Thank you very much for not answering my question, but instead turning my thinking in a better direction ;-)
-
Here are my guest network rules:
They only allow access to the Internet and pinging the guest LAN interface.
-
@jknott What is the purpose of your fourth rule?
-
Guests are not allowed to do anything to the WAN address. It is normally possible to reach the WAN address from the LAN side. That rule blocks that.
-
@jknott Haha yes I figured what the rule does but I wanted to know why. What could they do that you would need to block it? Genuinely curious here as I've never seen such a rule used before.
-
-
Just making sure they can't reach it at all. I am not aware of all possible attacks so it best to block everything that isn't needed.
-
Wouldn't it be easier and easier to see if you just used the "this firewall" alias?
-
I wasn't aware of that alias.
