Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS names in firewall rules…

    Firewalling
    4
    4
    5.2k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      ah_clem
      last edited by

      I have a need to allow access through my WAN interface for clients that are utilizing PPPoE/DHCP public addresses.  The issue here is that SBC (their provider) re-establishes the DHCP lease on a 4 hour basis, so the IP address changes constantly (thank you VERY much SBC).  I realize that dynamic dns services like No-IP or DynaDNS can be used on the client machine to provide a DNS link to this ever changing IP address, but from all I can determine, it seems that the firewall rules will not allow the use of these DNS names.  I see that there is an alias function, but that too requires that an IP address be entered as opposed to a DNS name.

      I will readily admit I just installed PF-Sense (so far I'm impressed) after working with Smoothwall Express v3.  I have experience with firewalls and networking, and I know that in the case of the Smoothwall, the firewall rules are not dynamic, in the sense that they're loaded at startup and not refreshed on a regular basis.  I'm hoping there is added functionality within PF Sense that will allow me to circumvent this "dancing IP" issue.

      Does anyone out there know how I can overcome this issue, or have any suggestions on a methodology I can employ to overcome SBC's attempts to screw things up?  I'm really hoping I'm not hosed on this one…

      Thanks In Advance,
      Ah clem

      1 Reply Last reply Reply Quote 0
      • H
        hoba
        last edited by

        This is a feature that is planned to be in 1.3. One thing most people don't know is that you actually can use hostnames in hostaliases already today, however they are not updated. They are resolved to IPs when the firewallruleset is loaded. If the IPs change later they won't be updated unless the firewallruleset is reloaded. Another thing is that only the first resolved IP is used for these firewallrules, so if you have a host that resolves to multiple IPs you are out of luck too. Scott is working on some code in 1.3 to frequently update the hostnames for firewallrules and to dump all the IPs into the alias in case a host resolves to multiple IPs.

        Also see http://forum.pfsense.org/index.php/topic,8326.0.html for further reference. You might want to help with the bounty.

        1 Reply Last reply Reply Quote 0
        • jahonixJ
          jahonix
          last edited by

          Don't want to beat a dead horse…

          is the hostname-to-alias feature worked on actively to be in 1.3 at some time or does it need further $upport?
          A rule with a dyndns host name is quite appealing!

          1 Reply Last reply Reply Quote 0
          • S
            sullrich
            last edited by

            It's in 1.3 already.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.