Outbound Firewall rules filtered by FQDN.

  • I would like to be able to filter outbound traffic by FQDN instead of IP. My company has a client base that needs to access services that are run on dynamic IPs and we want to lock down all outbound traffic except to these services.

    This is a service that is available in Sonicwall devices, however after using pfSense internally we have grown to love it and would like to help extend its functionality.

  • I wonder if for you is ok just a cron job which does just reconfigure the filter rules is enough?!

  • So let me see if i understand…...

    There is the ability to run a job that would resolve the IP from the URL and update the rules accordingly?

  • I have been working on adding this to 1.3.  Would you like to sponsor it?  It will be done at some point but sponsoring it will allow me to focus on it more.

  • Are you working on actually allowing the rules to be entered by FQDN /URL or are you working a the jobs like mentioned above? The first option would be best for ease of use :)

    Let me see what I can get my boss to pony up!

  • So is this something that is being worked on as per my question above? I just want to make sure it is exactly what we need before we post bounty (otherwise I may end up paying it instead of my company!)?

  • This would help the Captive portal greatly as well!

    ie. HotSpot needs to access paypal to process credit cards.  Paypal has dozens of IPs and it takes a while to get them all.


  • @SlickNetAaron:

    This would help the Captive portal greatly as well!

    ie. HotSpot needs to access paypal to process credit cards.  Paypal has dozens of IPs and it takes a while to get them all.


    This won't solve sites that resolve a name into multiple different addresses on each query.  The filter engine still only resolves hosts to IPs at rule load time.  What could potentially be doable (up to the requesters and whoever implements this) is:

    • Hostname entry into rules screen

    • Rule load time parsing of hostnames to IPs (including potentially all addresses that hostname resolves to at the time of rule load - this puts the resolving login back into php vs pfctl, so YMMV on speed)

    • scheduled re-resolution of the hostnames to IPs

    There's a little flexibility in how to approach those (and wiggle room on the result), but that's pretty much the "best" you can hope for.


  • curious, couldnt you just install squid and ACL Allow only the sites needed and ACL DENY everything else ???

  • Hi Treys1 and all of you,

    Treys1 I think you can use a split DNS implementation and add your authoritative zone and target IP for any FQDN you want in the internal view of the world.


  • Quote from a SonicWALL document.

    "FQDN Address Objects are resolved using the DNS servers configured on the SonicWALL in
    the Network > DNS page. Since it is common for DNS entries to resolve to multiple IP
    addresses, the FQDN DAO resolution process will retrieve all of the addresses to which a host
    name resolves, up to 256 entries per AO. In addition to resolving the FQDN to its IPs, the
    resolution process will also associate the entry’s TTL (time to live) as configured by the DNS
    administrator. TTL will then be honored to ensure the FQDN information does not become

    If this is in fact what you are working on I will post a $1000 bounty. I may be able to offer more if I can get some details about projected completion time frame and specifics about the functionality.


  • Well a better solution would be to write a simple daemon to make queries on regular (configurable) time and update a table on the firewall ruleset without reloading the whole ruleset and not relying on a cronjob.
    The FQDN can be added as aliases of type FQDN and be used on the primary ruleset transparently and block/allow hosts based on aliases.

    This is superior to the sonicwall approach since it would be unlimited on number of hosts/ip addresses/FQDN with an amazing simplicity in configuration. It also minimizes thing that can go wrong.

    Anyway, let see what Scott has to say on this first.

  • Any news? I'm more than willing to sponsor.

Log in to reply