Alarm company no longer provides a static IP address for their incoming requests



  • My house uses a DMP alarm system and in the past requests to the alarm panel from their hosts always came from a static IP address to port 2001.  They no longer will guarantee to come from a single IP address and it appears they are load balancing outbound requests based on some review of the firewall logs and rejected connections.  They are not using HTTP / HTTPS to communicate with the Alarm system, but rather a custom IP protocol.  I am curious how might I validate the DNS for an IP address before allowing the traffic through.  e.g. a request comes from 199.199.199.99 how can I make sure that IP address is associated host name server.alarmco.com before allowing the connection.

    Sorry if this is an easy question I am missing the obvious.

    Thx
    Bryan


  • Netgate

    Sorry if this is an easy question I am missing the obvious.

    Yeah, get a new alarm company.



  • You could make an alias "Alarmco" for server.alarmco.com and add a pass rule for source "Alarmco"…
    But it is likely that their DNS name is going to resolve into just 1 of their servers, when you need a full list.
    Ask them to provide you a list of all the IPs they will use for monitoring, or their whole public IP subnet/s. They should be able to give you that easily.
    Otherwise, I'm with Derelict.


  • Rebel Alliance Developer Netgate

    To reinforce the point:

    If a security company can't provide you with a list of servers for their end to connect from so you can ensure the security of the port/service/device itself, then I would have no confidence in their product or services.

    I'd already have serious doubts about their custom protocol and the IP stack on the panel, but if they want you to open it wide open to the world, forget it.