Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Outbound Firewall rules filtered by FQDN.

    Scheduled Pinned Locked Moved Expired/Withdrawn Bounties
    13 Posts 7 Posters 15.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      Treys1
      last edited by

      I would like to be able to filter outbound traffic by FQDN instead of IP. My company has a client base that needs to access services that are run on dynamic IPs and we want to lock down all outbound traffic except to these services.

      This is a service that is available in Sonicwall devices, however after using pfSense internally we have grown to love it and would like to help extend its functionality.

      1 Reply Last reply Reply Quote 0
      • E
        eri--
        last edited by

        I wonder if for you is ok just a cron job which does just reconfigure the filter rules is enough?!

        1 Reply Last reply Reply Quote 0
        • T
          Treys1
          last edited by

          So let me see if i understand…...

          There is the ability to run a job that would resolve the IP from the URL and update the rules accordingly?

          1 Reply Last reply Reply Quote 0
          • S
            sullrich
            last edited by

            I have been working on adding this to 1.3.  Would you like to sponsor it?  It will be done at some point but sponsoring it will allow me to focus on it more.

            1 Reply Last reply Reply Quote 0
            • T
              Treys1
              last edited by

              Are you working on actually allowing the rules to be entered by FQDN /URL or are you working a the jobs like mentioned above? The first option would be best for ease of use :)

              Let me see what I can get my boss to pony up!

              1 Reply Last reply Reply Quote 0
              • T
                Treys1
                last edited by

                So is this something that is being worked on as per my question above? I just want to make sure it is exactly what we need before we post bounty (otherwise I may end up paying it instead of my company!)?

                1 Reply Last reply Reply Quote 0
                • S
                  SlickNetAaron
                  last edited by

                  This would help the Captive portal greatly as well!

                  ie. HotSpot needs to access paypal to process credit cards.  Paypal has dozens of IPs and it takes a while to get them all.

                  Aaron

                  1 Reply Last reply Reply Quote 0
                  • B
                    billm
                    last edited by

                    @SlickNetAaron:

                    This would help the Captive portal greatly as well!

                    ie. HotSpot needs to access paypal to process credit cards.  Paypal has dozens of IPs and it takes a while to get them all.

                    Aaron

                    This won't solve sites that resolve a name into multiple different addresses on each query.  The filter engine still only resolves hosts to IPs at rule load time.  What could potentially be doable (up to the requesters and whoever implements this) is:

                    • Hostname entry into rules screen

                    • Rule load time parsing of hostnames to IPs (including potentially all addresses that hostname resolves to at the time of rule load - this puts the resolving login back into php vs pfctl, so YMMV on speed)

                    • scheduled re-resolution of the hostnames to IPs

                    There's a little flexibility in how to approach those (and wiggle room on the result), but that's pretty much the "best" you can hope for.

                    –Bill

                    pfSense core developer
                    blog - http://www.ucsecurity.com/
                    twitter - billmarquette

                    1 Reply Last reply Reply Quote 0
                    • D
                      dingo
                      last edited by

                      curious, couldnt you just install squid and ACL Allow only the sites needed and ACL DENY everything else ???

                      1 Reply Last reply Reply Quote 0
                      • ?
                        Guest
                        last edited by

                        Hi Treys1 and all of you,

                        Treys1 I think you can use a split DNS implementation and add your authoritative zone and target IP for any FQDN you want in the internal view of the world.

                        Zillo

                        1 Reply Last reply Reply Quote 0
                        • T
                          Treys1
                          last edited by

                          Quote from a SonicWALL document.

                          "FQDN Address Objects are resolved using the DNS servers configured on the SonicWALL in
                          the Network > DNS page. Since it is common for DNS entries to resolve to multiple IP
                          addresses, the FQDN DAO resolution process will retrieve all of the addresses to which a host
                          name resolves, up to 256 entries per AO. In addition to resolving the FQDN to its IPs, the
                          resolution process will also associate the entry’s TTL (time to live) as configured by the DNS
                          administrator. TTL will then be honored to ensure the FQDN information does not become
                          stale."

                          If this is in fact what you are working on I will post a $1000 bounty. I may be able to offer more if I can get some details about projected completion time frame and specifics about the functionality.

                          Thanks!

                          1 Reply Last reply Reply Quote 0
                          • E
                            eri--
                            last edited by

                            Well a better solution would be to write a simple daemon to make queries on regular (configurable) time and update a table on the firewall ruleset without reloading the whole ruleset and not relying on a cronjob.
                            The FQDN can be added as aliases of type FQDN and be used on the primary ruleset transparently and block/allow hosts based on aliases.

                            This is superior to the sonicwall approach since it would be unlimited on number of hosts/ip addresses/FQDN with an amazing simplicity in configuration. It also minimizes thing that can go wrong.

                            Anyway, let see what Scott has to say on this first.

                            1 Reply Last reply Reply Quote 0
                            • T
                              Treys1
                              last edited by

                              Any news? I'm more than willing to sponsor.

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.