3. Pfsense, alias and subdomains needed

Pfsense, alias and subdomains needed

  • K

    hello folks,

    this is my first post and i have have trouble configuring this, so hopefully i had hit the right forum for my question:

    my goal is an proxy-server without caching functionalty, something like a (surf-)gateway only.
    this makes sense, because i want to block all outbound except some internet sites, two of them need https!
    so squid is wrong for my configuration, right?

    my configuration works, but no subdomains are working :(
    for example:
    working:
    http://domain.org
    http://www.domain.org/someurl
    https://domain.org
    https://www.domain.org/someurl

    not working:
    http://subdomain.domain.org
    https://subdomain.domain.org

    this is my configuration:
    i installed a new "clean" pfsense, latest version
    under Firewall–> Alias: i configured as alias (hosts) something like "www.domain.org" (without ""), description named here  "destinationALIAS"
    under Firewall--> Rules--> LAN:
    i deactivated the standard ipv4 and ipv6 rules
    i created a new rule:
    Action: Pass
    interface: LAN
    protocol: any
    source: any
    port: any
    destination: single host or alias - name choosen "destinationALIAS"

    but why i cannot use subdomains? they are blocked....
    i prefer to use as alias "*.domain.org" or "*domain.org", but its rejected.

    if you need detailed informations i can them deliver tomorrow, but please help me out... thanks!
    is there a simple way to get subdomains working?

    gr33z

    edit: configuration specified

    0
  • P

    I use

    
.*domain.org

    in my ACLs. This takes care of any domain and subdomain.
    How are you blocking or allowing secure http (https)?

    0
  • K

    Hello podilarius,

    thanks for your reply!

    In your ACL? Do you mean a configuration with squid? i dont want to use squid :(
    I got secure http (https) not to work with squid…so i dont want to block it.

    I tried to use your pattern ".*domain.org" (without "") as Alias (Firewall --> Alias) as Host - but it isn't accepted, too :(
    Error:
    The following input errors were detected:

    .*domain.org is not a valid host alias.

    gr33z

    0
  • P

    Yes. I was talking about squid config. Wildcards are not permitted in FW rules or Aliases to my knowledge. Firewall rules must resolve to something. As far as I know only the proxy software is smart enough for that. You might be able to use snort, but I have not messed with that in a long time.

    0
  • K

    Hello again,

    ok, so if i'm using squid3x, then https-sites are not working - can you give me hints for that, please?

    gr33z

    0
  • P

    according to the proxy config, you can use a man-in-the-middle approach. It requires that you setup a WPAD/PAC in DNS or DHCP. This is new to me, but reading up on it looks promising. I am using my proxy only as a way to control site my girls should not be seeing. They can get to https sites though. This might be a way to circumvent that limitation.
    Please post if you have any success, if you use it.

    0
Log in to reply
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy