Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall Blocking using hostname

    2.0-RC Snapshot Feedback and Problems - RETIRED
    3
    4
    4507
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      vorgusa
      last edited by

      Hi,
          I was trying to allow traffic from just a specific hostname through my network, since the source IP is going to be assigned by DHCP and they have it set up through dyndns.  The Rules interface does not seem to allow Hostnames, but the alias interface seems to allow them, so I assigned the hostname to an alias and then assigned the alias to the Firewall rule and turned on logging.  This did not seem to do anything after the reload or have any error messages.  It just allows access from any to that port.  Is there a way I can do this?

      1 Reply Last reply Reply Quote 0
      • W
        wallabybob
        last edited by

        @vorgusa:

        I was trying to allow traffic from just a specific hostname through my network, since the source IP is going to be assigned by DHCP and they have it set up through dyndns.

        There's a problem here in that the hostname won't track the change in IP address closely. There can be a delay of some minutes while a change in IP address for a hostname propagates through the name servers.

        The following scenario is possible: DHCP lease expires, system gets new address, requests change in IP address for hostname, system attempts access using NEW IP address but pfSense has old IP address for hostname, access s allowed.

        If you are serious about blocking access from that host you should think of another way.

        For your proposed technique to even "mostly work" you are relying on the system administrator of that system to attempt to update the name registration. If someone hacks into that system and disables that name service update attempt then your firewall protection is gone.

        I don't know the internals of pf but I suspect that (due to the overhead and delay) it is not going to do an address to name lookup on every packet coming into the firewall.

        1 Reply Last reply Reply Quote 0
        • V
          vorgusa
          last edited by

          I am not too concerned about people hacking into the other address and getting their own IP set up as the hostname.  I am doing this for a VPN so they will then have to have the Certificate.  I was just trying to add an extra layer of security.

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            Passing from a hostname works last I tried it. Can you look under Diagnostics > Tables, and pick the entry from the list that corresponds to your alias name, and see if there is an IP in there and that it's correct?

            Someone found a bug in the filterdns daemon which monitors DNS entries last night or so, and it should be fixed in the next new snapshots, so updating later today might be useful as well.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • First post
              Last post