Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Bug with using hostnames in aliases ?

    Scheduled Pinned Locked Moved
    Firewalling
    1
    1
    60
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      DBMandrake
      last edited by DBMandrake

      Hi All,

      I'm wondering if I've hit on a bug in the processing of hostnames in aliases...

      I'm running PFSense CE 2.7.2.

      I have an alias called "Reflector" which I wanted to add 8 hosts with dynamic IP's which I could then reference in a firewall rule.

      Previously I have given static reservations in DHCP and manually specified the IP address in the alias for example for one entry in the Alias GUI:

      10.0.128.55 MATHS-05

      This is clunky to manage so I thought I'd give the automatic dns resolution in aliases a go so I entered all 8 computers by host name, for example:

      maths-05 MATHS-05

      etc... host name and alias description the same for each entry.

      Luckily I checked the results in the table in Diagnostics -> Tables, because I found this was not giving correct results.

      I was only seeing around 3 of the 8 new entries listed, I was seeing some legacy entries (which were previously manually entered IP addresses in the alias) still listed that shouldn't be there, and I had one IP address (which happens to be a server which is the sole member of another alias) appear in the list in the table which should not be there and has never previously been in that alias...

      In short it was a mess. I tried manually clearing the table through Diagnostics, waited for the refresh period (300, although I later dropped it to 60 for testing) and three entries came back, plus the one entry that shouldn't be there at all, and the other 5 were missing.

      Eventually I decided to try fully qualified hostnames instead of just hostnames, and it now works.

      EG I changed

      maths-05 MATHS-05

      to

      maths-05.ourdomain.local MATHS-05

      As far as I can see everything updates correctly now when I make changes, all entries are correct, no spurious entries are present etc.

      It's important to note that the local domain is set correctly in PFSense under system->general setup->domain, and I can ping / nslookup an unqualified hostname in ssh and get the correct results.

      I'm sure someone is going to yell at me and say that it says to use FQDN's in the help text and it indeed does:

      Enter as many hosts as desired. Hosts must be specified by their IP address or fully qualified domain name (FQDN). FQDN hostnames are periodically re-resolved and updated. If multiple IPs are returned by a DNS query, all are used. An IP range such as 192.168.1.1-192.168.1.10 or a small subnet such as 192.168.1.16/28 may also be entered and a list of individual IP addresses will be generated.

      However in response, I would point out the following....

      1. There is no sanity checking in the entry form that you have in fact entered a FQDN, it will happily accept an unqualified hostname in one or more entries without complaint.

      2. SOME of the entries are resolved correctly, so it is trying to resolve the unqualified entries, I don't know why some resolve and some don't.

      3. It has added an IP address that should not be there at all. If I had to guess I would say that it has come from another alias because I know that IP address is the sole member of another alias, although why it chose that one, I don't know. If it has grabbed the contents of another alias that could potentially have been many IP addresses.

      My concern is that even if I'm wrong to enter an unqualified hostname when the help text says IP address or FQDN, it's an easy mistake to make especially if you didn't read the help text thoroughly, and resulted in the table missing IP addresses it should have, and more worryingly adding at least one IP address that should not be there which is a potential security concern.

      I only spotted the issue by manually checking the contents of the resulting table. (Which then lead me to check the contents of all other tables to be sure)

      To make this more robust it either needs to do sanity checking on the inputs, (which wouldn't catch any bad entries people already have in place) or have resolution of unqualified hostnames fixed so that it does actually resolve them correctly. (eg expand the functionality slightly)

      Anyway, I just thought I would raise this in case anyone else has experienced the same issue.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post