Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    It's always nice reading these things about your favourite firewall

    Scheduled Pinned Locked Moved Forum Feedback
    4 Posts 4 Posters 4.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O
      Ozzik
      last edited by

      Heffner also called on router vendors to build in DNS Rebinding mitigations into their routers directly.

      "The only router software that I know of that does this now is pfsense," Heffner said. "They contacted me when my Black Hat talk abstract went up."

      http://www.esecurityplanet.com/features/article.php/3895851/Millions-of-Home-Routers-at-Risk.htm

      1 Reply Last reply Reply Quote 0
      • M
        mhab12
        last edited by

        Agreed - the interaction between the devs and community here are about as good as it gets.  Thanks for all that you do.

        1 Reply Last reply Reply Quote 0
        • H
          HiTekRedNek
          last edited by

          And just how does PFSense mitigate against this type of attack compared to competitors?

          1 Reply Last reply Reply Quote 0
          • D
            dszp
            last edited by

            Well, the main way is by not allowing webGUI access using a hostname other than the one assigned to pfSense in version 2.0. There is an exception list for other hostnames used if needed, or IP address can be used without restriction, as that is not a security risk with DNS Rebinding attacks. These protections are on by default in 2.0 beta currently, even when upgrading from 1.x. It's always recommended to change the default administration password for the webGUI as well, and if you do this and are not logged into the webGUI (or are not logged into the same web browser used for other tasks), even attempts at DNS Rebinding attacks are unlikely to succeed because they would need to rely on a flaw in the LAN administration code to authenticate/change the firewall (this is the case even in 1.x). So the main recommendations beyond the build-in protections are: 1) use a different web browser for administration than for web browsing, and 2) change the default password to something secure (do this anyway!).

            At least that's what I'm familiar with. I'm sure someone else may have information about additional precautions taken.

            David Szpunar

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.