DNS names in firewall rules…
I have a need to allow access through my WAN interface for clients that are utilizing PPPoE/DHCP public addresses. The issue here is that SBC (their provider) re-establishes the DHCP lease on a 4 hour basis, so the IP address changes constantly (thank you VERY much SBC). I realize that dynamic dns services like No-IP or DynaDNS can be used on the client machine to provide a DNS link to this ever changing IP address, but from all I can determine, it seems that the firewall rules will not allow the use of these DNS names. I see that there is an alias function, but that too requires that an IP address be entered as opposed to a DNS name.
I will readily admit I just installed PF-Sense (so far I'm impressed) after working with Smoothwall Express v3. I have experience with firewalls and networking, and I know that in the case of the Smoothwall, the firewall rules are not dynamic, in the sense that they're loaded at startup and not refreshed on a regular basis. I'm hoping there is added functionality within PF Sense that will allow me to circumvent this "dancing IP" issue.
Does anyone out there know how I can overcome this issue, or have any suggestions on a methodology I can employ to overcome SBC's attempts to screw things up? I'm really hoping I'm not hosed on this one…
Thanks In Advance,
This is a feature that is planned to be in 1.3. One thing most people don't know is that you actually can use hostnames in hostaliases already today, however they are not updated. They are resolved to IPs when the firewallruleset is loaded. If the IPs change later they won't be updated unless the firewallruleset is reloaded. Another thing is that only the first resolved IP is used for these firewallrules, so if you have a host that resolves to multiple IPs you are out of luck too. Scott is working on some code in 1.3 to frequently update the hostnames for firewallrules and to dump all the IPs into the alias in case a host resolves to multiple IPs.
Also see http://forum.pfsense.org/index.php/topic,8326.0.html for further reference. You might want to help with the bounty.
jahonix last edited by
Don't want to beat a dead horse…
is the hostname-to-alias feature worked on actively to be in 1.3 at some time or does it need further $upport?
A rule with a dyndns host name is quite appealing!
It's in 1.3 already.