• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Firewall Blocking using hostname

Scheduled Pinned Locked Moved 2.0-RC Snapshot Feedback and Problems - RETIRED
4 Posts 3 Posters 5.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • V
    vorgusa
    last edited by Mar 31, 2011, 9:50 PM

    Hi,
        I was trying to allow traffic from just a specific hostname through my network, since the source IP is going to be assigned by DHCP and they have it set up through dyndns.  The Rules interface does not seem to allow Hostnames, but the alias interface seems to allow them, so I assigned the hostname to an alias and then assigned the alias to the Firewall rule and turned on logging.  This did not seem to do anything after the reload or have any error messages.  It just allows access from any to that port.  Is there a way I can do this?

    1 Reply Last reply Reply Quote 0
    • W
      wallabybob
      last edited by Mar 31, 2011, 10:18 PM

      @vorgusa:

      I was trying to allow traffic from just a specific hostname through my network, since the source IP is going to be assigned by DHCP and they have it set up through dyndns.

      There's a problem here in that the hostname won't track the change in IP address closely. There can be a delay of some minutes while a change in IP address for a hostname propagates through the name servers.

      The following scenario is possible: DHCP lease expires, system gets new address, requests change in IP address for hostname, system attempts access using NEW IP address but pfSense has old IP address for hostname, access s allowed.

      If you are serious about blocking access from that host you should think of another way.

      For your proposed technique to even "mostly work" you are relying on the system administrator of that system to attempt to update the name registration. If someone hacks into that system and disables that name service update attempt then your firewall protection is gone.

      I don't know the internals of pf but I suspect that (due to the overhead and delay) it is not going to do an address to name lookup on every packet coming into the firewall.

      1 Reply Last reply Reply Quote 0
      • V
        vorgusa
        last edited by Apr 2, 2011, 5:39 AM

        I am not too concerned about people hacking into the other address and getting their own IP set up as the hostname.  I am doing this for a VPN so they will then have to have the Certificate.  I was just trying to add an extra layer of security.

        1 Reply Last reply Reply Quote 0
        • J
          jimp Rebel Alliance Developer Netgate
          last edited by Apr 4, 2011, 5:32 PM

          Passing from a hostname works last I tried it. Can you look under Diagnostics > Tables, and pick the entry from the list that corresponds to your alias name, and see if there is an IP in there and that it's correct?

          Someone found a bug in the filterdns daemon which monitors DNS entries last night or so, and it should be fixed in the next new snapshots, so updating later today might be useful as well.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          4 out of 4
          • First post
            4/4
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
            This community forum collects and processes your personal information.
            consent.not_received