Simple Firewall Issue - hopefully
-
Hi All,
i've just received my new SG-4860
Love it so far.
i have a small issue.
I'm trying to restrict everyone on LAN from accessing the internet. I have done this.
Now i want to allow access to a single url. I've added the Alias.
The IP of the URL will never change - it's on my VPS. I don't want to use squid or anything for just this 1 site.I can access the IP directly from the LAN but not the URL. But, the IP is useless because the VPS is using cpanel hosting, so i get the default cpanel page. I have multiple domains hosted on the VPS, although it's no issue if they had managed to gain access to those other sites.
I think it is some DNS issue. I've added a rule to allow LAN access to Google DNS (through another alias), and google DNS is set as my dns in my pfsense settings. but, i cannot ping 8.8.8.8 even with the rule set from the LAN.
Any help greatly appreciated.
i've tried putting the blocks at the bottom (not 100% sure which way round it should be)
-
Yeah. You cannot ping DNS via TCP, since ping uses ICMP. You cannot even have DNS working without UDP.
-
thanks for the fast response.
any ideas how to access my website?
i've set firewall rule for googledns for tcp/udp just in case
-
No idea what website? And you still cannot use ping without ICMP. In general, stop creating useless aliases:
The IP of the URL will never change - it's on my VPS. I don't want to use squid or anything for just this 1 site.
What for is the alias when the IP will never change?
P.S. The last rule is completely useless. That LAN => LAN traffic does not go through the firewall.
-
No idea what website? And you still cannot use ping without ICMP.
P.S. The last rule is completely useless. That LAN => LAN traffic does not go through the firewall.
Thanks - i'm not bothered about ping.
will remove last rule.
I want to restrict access to the internet bar one site which has a fixed ip address. But, that ip address hosts multiple domains via Cpanel Hosting.
If i allow that ip address I can access the server (so that ip is unblocked) but not the site i want. i cannot access any of the sites hosted on that server if i type in the URL of the website.
It's some sort of nameresolving dns issue.I can access the site if i remove the 2 "block" rules.
-
No, you cannot restrict URLs via packet filter. Move on.
-
No, you cannot restrict URLs via packet filter. Move on.
hi and thanks.
I'm restricting everything, and only want to access 1 domain on 1 ip address.
I can access the IP address via browser which is fine but it does not resolve the name i want correctly so the server does not server the correct informaiton.
is it not possible to just add some host/rule so that when I enter XXXXX in my browser on the lan it just works?
e.g. i only want to access webmail.XXXXXXX.co.uk
that is all. Do i need to use squid to do it?
-
btw, i can see you are busy on the forum, so i apologise for my incompetence.
-
1/ No, you cannot use URL in firewall rules.
2/ You cannot use IP address to access webserver with mass vhosting on a single IP.
3/ Fix your DNS so that is resolves and you can use proper FQDN/URL to access the website! You need to allow TCP/UDP with destination port 53 to any DNS server you have configured on your client.
4/ Squid? Why don't you just pull the cable when not in use. Really. Or pay for your own IP. -
Thanks.
1/ No, you cannot use URL in firewall rules.
2/ You cannot use IP address to access webserver with mass vhosting on a single IP.
3/ Fix your DNS so that is resolves and you can use proper FQDN/URL to access the website! You need to allow TCP/UDP with destination port 53 to any DNS server you have configured on your client.
4/ Squid? Why don't you just pull the cable when not in use. Really. Or pay for your own IP.i've configured the DNS locally and it all works fine, exactly how i want it.
how/why does the firewall not give the DNS to my client, or how can i make that happen.
it works without the block.
-
Which part of "you need to allow TCP/UDP with destination port 53 to any DNS server you have configured on your client" is exactly unclear??? When you block DNS traffic then it won't work. Why are you configuring ridiculously restrictive firewall rules without understanding the basics?
-
Firewall rules are processed top-down. Your users are never going to go anywhere when rules #2,3 prevent all Internet access from LAN. You need to put your Allow rules first and then all else can be blocked by the hidden Default Deny rule.
Delete rules 2,3,4,7,8 & set remaining rule's protocol to TCP/UDP and you should be done and working.
-
Which part of "you need to allow TCP/UDP with destination port 53 to any DNS server you have configured on your client" is exactly unclear??? When you block DNS traffic then it won't work.
Why are you configuring ridiculously restrictive firewall rules without understanding the basics?not sure if you are trying to help or just be a c*nt :)
I set the DNS on the client in the nework config for the connection. This allowed it to work.
I allowed all tcp/udp to google DNS as i posted earlier.Where else would I start - this is understanding the basics.
–
@KOM:
Firewall rules are processed top-down. Your users are never going to go anywhere when rules #2,3 prevent all Internet access from LAN. You need to put your Allow rules first and then all else can be blocked by the hidden Default Deny rule.
Delete rules 2,3,4,7,8 & set remaining rule's protocol to TCP/UDP and you should be done and working.
Thanks for the response.
This solved the issue perfectly and simply.
-
Glad you got it working ;D
-
Where else would I start - this is understanding the basics.
I meant firewall basics. Apparently not the case with you.
-
What for is the alias when the IP will never change?
This isn't the first time you have shit on people for using aliases. I can't believe that someone who knows DNS as well as you do is baffled as to why people would use an alias for a single IP address. I have all kinds of single IP aliases because I find it much easier to read for myself and anyone who might take my place. So much easier to read DNS_Server than 10.11.34.6 and know what's going on. Yes, I'm sure that there are supermen network admins who can memorize an entire class C subnet but that's not me.
-
@KOM:
So much easier to read DNS_Server than 10.11.34.6 and know what's going on.
Yeah. Because the description column does not fit on the screen. I guess you are leaving the descriptions empty, exactly like OP.
-
I guess you are leaving the descriptions empty, exactly like OP.
I do both. I prefer to have the Source/Target obvious without having to read a description, but I also add a description to make it even clearer for others. I simply find it faster to understand the rule using the alias than by scanning the rule and then reading the description. You are saying that one way is wrong and one way is right. I say let people work the way they want without mocking them for it.
