Firewall Blocking using hostname
-
Hi,
I was trying to allow traffic from just a specific hostname through my network, since the source IP is going to be assigned by DHCP and they have it set up through dyndns. The Rules interface does not seem to allow Hostnames, but the alias interface seems to allow them, so I assigned the hostname to an alias and then assigned the alias to the Firewall rule and turned on logging. This did not seem to do anything after the reload or have any error messages. It just allows access from any to that port. Is there a way I can do this? -
I was trying to allow traffic from just a specific hostname through my network, since the source IP is going to be assigned by DHCP and they have it set up through dyndns.
There's a problem here in that the hostname won't track the change in IP address closely. There can be a delay of some minutes while a change in IP address for a hostname propagates through the name servers.
The following scenario is possible: DHCP lease expires, system gets new address, requests change in IP address for hostname, system attempts access using NEW IP address but pfSense has old IP address for hostname, access s allowed.
If you are serious about blocking access from that host you should think of another way.
For your proposed technique to even "mostly work" you are relying on the system administrator of that system to attempt to update the name registration. If someone hacks into that system and disables that name service update attempt then your firewall protection is gone.
I don't know the internals of pf but I suspect that (due to the overhead and delay) it is not going to do an address to name lookup on every packet coming into the firewall.
-
I am not too concerned about people hacking into the other address and getting their own IP set up as the hostname. I am doing this for a VPN so they will then have to have the Certificate. I was just trying to add an extra layer of security.
-
Passing from a hostname works last I tried it. Can you look under Diagnostics > Tables, and pick the entry from the list that corresponds to your alias name, and see if there is an IP in there and that it's correct?
Someone found a bug in the filterdns daemon which monitors DNS entries last night or so, and it should be fixed in the next new snapshots, so updating later today might be useful as well.