Block by URL or hostname instead of IP

dread_ire · Nov 18, 2010, 1:19 AM

Is there a way to block incoming connections by hostname or URL instead of specifying an IP? For example blocking incoming connections from larger sites that have multiple IPs but a single URL.

jimp · Nov 18, 2010, 6:09 PM

Not in 1.2.3.

In 2.0 you can use hostnames in aliases, and any IP that is given back by DNS as an IP for that hostname will effectively be in that alias.

Though it may not really do what you are after, that would be more useful for outgoing connections to sites you want to block. Incoming connections would rarely be associated with a "url" in that way.

Cry Havok · Nov 19, 2010, 9:09 PM

jimp, how often is that hostname resolved - once at rule creation or at some interval?

jimp · Nov 19, 2010, 9:19 PM

I'd have to check the daemon's source, but it's done periodically. I want to say ~~every 30 minutes or so~~ It's 5 minutes, I just checked.

If you only want the hostname to be resolved once, there is a trick to using hostnames in aliases on 1.2.3, you can put a dummy IP entry in as the first alias entry, and then a hostname in the second and later entries. It only resolves once, each time the filter is reloaded, but it can work in a pinch.

Cry Havok · Nov 20, 2010, 8:26 PM

That's good to know, makes the feature useful and is what I was hoping for.

cyboc · Dec 10, 2010, 5:10 PM

@jimp:

I'd have to check the daemon's source, but it's done periodically. I want to say ~~every 30 minutes or so~~ It's 5 minutes, I just checked.

I was curious about this so I tested it. I created a dummy dyndns host with the address 192.168.1.1. Then I created a network Firewall Alias called "MyAlias" for that dyndns host. Next, I ran pfctl -T show -t MyAlias, which returned 192.168.1.1

Next, I changed the dyndns host's address to 192.168.1.2. Every few seconds, I ran that pfctl command. It kept returning the original address until about 5 minutes later when it returned 192.168.1.2

I tested this several times and it always took about 5 minutes.

NOTE: there was one instance where it returned both the old address and the new address until the next update 5 minutes later. I have not been able to reproduce this anomaly. I wonder if the anomaly could cause problems with firewall rules?

jimp · Dec 10, 2010, 5:15 PM

@cyboc:

NOTE: there was one instance where it returned both the old address and the new address until the next update 5 minutes later. I have not been able to reproduce this anomaly. I wonder if the anomaly could cause problems with firewall rules?

No, the action would simply be taken for both IPs. If a DNS query returns multiple, all returned addresses are put into the table. It's handy for sites like google.com which return a set of IPs.

cyboc · Dec 10, 2010, 5:22 PM

I can also confirm that a filter reload causes an immediate update of the alias value, without having to wait 5 minutes. Note also that I've seen that two address anomaly all three times I did a filter reload after changing the dyndns address.

cyboc · Dec 10, 2010, 5:24 PM

By the way, this hostname alias feature is nice and could be handy. Thanks pfSense guys!

cyboc · Dec 10, 2010, 9:53 PM

Unless I'm doing something wrong, an alias of aliases where the underlying aliases are hostnames does not seem to work. For example, I created Alias1 for one dyndns hostname and and Alias2 for another one. Then I made Alias3, and added Alias1 and Alias2 to it.

Running pfctl -T show -t Alias1 and pfctl -T show -t Alias2 both output the corresponding IP addresses of the hostnames. However, running pfctl -T show -t Alias3 output the message "pfctl: Table does not exist". I double-checked the spelling too.

Is this unsupported? No biggie if it's unsupported.

jimp · Dec 10, 2010, 10:08 PM

Nesting of aliases is supposed to work, not sure if some logic is missing or what. Open a ticket on http://redmine.pfsense.org with your testing and what you found, include the full output of the pfctl commands you ran, and also attach copies of rules.debug.