Only allow certain ports to certain FQDNs
Is there a way to setup pfSense to only allow certain ports to access certain FQDNs? For example, setup port 993 to only access *.gmail.com, or NTP (123) to only access a set of FQDNs? FQDNs that do not match the allowed FQDN should be dropped (if a connection is going to port 993 to www.yahoo.com, it should be dropped).
You can setup an outbound NAT rule that translates any activity on port 993 to redirect to some other IP address and port, if that's what you mean.
I don't want it to actually redirect the traffic. I just want to create a rule that will look at the port and destination and if that destination doesn't meet the allowed destination for that port, the connection is dropped. I know how to do it with individual IPs using a firewall rule (the same way you setup egress filtering and only allow certain things out). My main question is how to use FQDNs (which can have many IPs), such as gmail.com for that destination address?
You can use aliases to represent an URL list. Perhaps you could craft an Outbound NAT rule with an URL list aliases as the Destination?
Can I use wildcards in hostname aliases? So to represent all Google URLs, just use "*.google.com", and that would resolve for www.google.com, mail.google.com, drive.google.com, etc.
No, I don't believe so. You will have to compile a list of every IP address or FQDN used by the services that you wish to block or redirect. Someone else has an ongoing thread of IP addresses for all of Google video aka YouTube, Facebook etc. Perhaps there is a known list of Gmail addresses that you can use.
Thanks for the help. Would it be correct to assume that if I add an alias to www.google.com and/or mail.google.com, drive.google.com, etc. (without wildcards) it will correctly resolve the IP addresses associated with these domains and sub-domains?
No, and you don't want to do that anyway. Services like Facebook, Google, YouTube et al use load balancers and global CDNs. Every time you do a lookup of www.google.com, for example, you can get a different IP address from the pool they have for that domain.
I understand. Out of curiosity, the Aliases and Hostnames help pages (https://doc.pfsense.org/index.php/Aliases) say the following:
For Host and Network type aliases, you can enter a fully qualified domain name (FQDN) instead of an IP address. The FQDN will be resolved by DNS every 5 minutes and updated internally. This can be useful for tracking dynamic DNS entries to identify sites or users that are unable to use a static IP.
Is that not what I'm trying to do?
Yes, but if you're using the resolved IP address to do anything, there is no guarantee that will be the same IP address even a second later. For example, I just did an nslookup on www.google.com. Here is what I got:
Then I went to a DNS website and resolved www.google.com. Here is what I got:
Yet another resolver gave me this:
Type Domain Name IP Address TTL
A www.google.com 126.96.36.199 5 min
A www.google.com 188.8.131.52 5 min
A www.google.com 184.108.40.206 5 min
A www.google.com 220.127.116.11 5 min
A www.google.com 18.104.22.168 5 min
So as you can see, the IP addresses are all over the place.
So what you're saying is that if I setup the system in the same way as the guide describes and it resolves an IP every 5 minutes, if within that 5 minutes window, the IP changes and I try to use that resolved IP right after, the connection will fail because the resolved IP that the firewall holds is different than the current IP of the FQDN?
Yes, that's what I'm afraid of. If you instead use a list of IP addresses that all respond to your FQDN, one will always match unless they roll out new IPs.
The IPs your firewall gets may not be the same IPs your clients get.