using domain name in rules
-
Hi,
I want to be able to lock down access to my pfsense box ssh/vpn by source ip. however the whole point of my vpn is so i can connect to my pc from anywhere
Is there way I can filter by a domain which i update using a service like dyndns or afraid.org?
i am new to pfsense so a tutorial/ youtube would be ideal
thanks in advance
-
@ageis Yes you can put an FQDN in an alias. https://docs.netgate.com/pfsense/en/latest/firewall/aliases-types.html#host-aliases
pfSense will resolve it every 5 minutes.A couple tips:
Do not mix FQDNs and other values (IPs) in the same alias. There are bugs.It may take 5+ minutes for your laptop to update its FQDN and pfSense to resolve it again.
Note using FQDNs for public web sites in outbound rules may not work, because www.netgate.com may have multiple IPs, or different IPs depending on location, CDN, etc.
-
@SteveITS is there a setting that controls how often pfsense will update the firewall?
-
@ageis yes
https://docs.netgate.com/pfsense/en/latest/firewall/aliases-features.html#:~:text=firewall%20periodically%20resolves%20and%20updates%20hostname%20entries
-
@ageis not sure you want it updating its alias too often to be honest.. But you can edit the interval under advanced, firewall&nat
Your client I would think would update its ddns when it connects to the network where your at.. So you have to wait what 5 minutes from time of connection to when you can ssh/vpn in at most.
To be honest ssh with public key auth, or typical openvpn auth with a cert are pretty secure.. Locking down to a source IP would normally be to prevent brute force attacks - but these are not really concerns with public key or cert auth.. with openvpn the traffic isn't even looked at for auth unless the tls key matches.
I mean you do you, but ssh with publickey only auth, or openvpn having to have a cert issued and signed by your own ca, etc. Pretty much eliminates the possibility of someone guessing or bruteforcing a password.
You could also geoip lock it down, so only IPs from say the US can talk to your services. Or you set it for what countries you might be traveling in, etc..
Personally I do not have ssh open to the public - I just vpn in if I need to do anything while remote. Which you can ssh to pfsense via the vpn.
You adjust the time sure, but keep in mind this is for all your aliases, not just the one entry for your ddns source IP.. Maybe not a big deal if you only have a couple of aliases.. But if you had a lot changing from 5 minutes to 60 seconds is going to be a lot more dns queries. Also your going to want to make sure the ttl on your ddns is 5 minutes or lower.. If its an hour or something, even if pfsense checks every 60 seconds, that ttl would come into play..
-
@ageis said in using domain name in rules:
I want to be able to lock down access to my pfsense box ssh/vpn by source ip. however the whole point of my vpn is so i can connect to my pc from anywhere
I expose my OpenVPN server on pfSense without restriction **.
SSH access : No need to expose it : I connect to VPN first, and then the GUI and/or SSH will work just fine (edit : as what pozjohn said).
OpenVPN has been made to handle this situation. Remember a couple of years ago when we were all working from home ? We were all using a VPN ^^ And afaik, none of the companies that used a VPN access had security issues (I presume a correct VPN setup)Do you think OpenVPN can be hacked through by using brute force ? That would have been known by now.
** I do use GeoIP blocking for my VPN, so instead of accepting a connection from 'the entire planet' I restrict IP access to 'my country only'.
edit :
I was just wondering : @home, I have an ISP connection that changes it's IPv4 every week or so. I don't mind.
But I have a NAS @home that I used from the office (where I have a pfSense), so I have a "afraid.org" home host name, so I can access my home IPv4 no matter what. This setup is part of one of my 3 off-site backups.
This works just fine.Ones in a while I do connect from home to work using the remote VPN access.
So, I just created this first, top "Home OpenVPN" rule :
If the first rule didn't match, because I wasn't connecting from home, but from somewhere else, I still have to match the second rule, where I GeoIP (Europe) limits the access.
As soon as I come home tonight, I'll test this. -
@Gertjan why would you be connecting to the vpn on your wan from the wan side when your home?
If you did connect to the vpn listening on your wan - wouldn't you be coming from your lan side networks?
-
The rules shown above are from my 'work' pfSense.
When I initiate a VPN connection from 'home', I make a connection to this work pfSense and will enter it's WAN. -
@Gertjan oh that makes sense - I thought that was home ;) But wouldn't the 2nd rule cover you as well since are you not in the EU?
-
@johnpoz said in using domain name in rules:
since are you not in the EU?
Afaik, France, where I am, is still part of the EU
