OPNsense Forum

English Forums => General Discussion => Topic started by: xofer on March 25, 2022, 01:36:36 pm

Title: Can i create firewall rule from a wildcard dns entry?
Post by: xofer on March 25, 2022, 01:36:36 pm

I would like to define a firewall rule from a wildcard DNS entry. This can be achieved in linux iptables.

Lets consider the scenario where I would like to block all outgoing traffic from a host, but allow only *.update.microsoft.com. I do not know the ip addresses, i do not even know the host name, only wildcard match. The ip address<>host name may change in time.

In linux this can be achieved in the following way:
1) client asks for somerandomstring.update.microsoft.com from dnsmasq
2) dnsmasq looks up the name, returns it to the client and adds it to an ipset list according to its whitelist
3) firewall iptables rule is configured to allow traffic according to the ipset list

ipset lists can be updated "behind the scenes" without any firewall reload.

Can something similar be achieved in opnsense pf?

Title: Re: Can i create firewall rule from a wildcard dns entry?
Post by: xofer on March 25, 2022, 06:19:15 pm

I know I am essentially replying to myself here, but maybe someone else needs this. It appears that dnsmasq ipset functions work (albeit totally undocumented) in BSD as well and write to a pf table using the same configuration syntax. So all i needed to do is:

add to /usr/local/etc/dnsmasq.conf.d directory a file ALLOWTHIS.conf:

Code: [Select]

ipset=/somedomain.com/ALLOWTHIS
then I created an empty host(s) alias ALLOWTHIS from opnsense GUI and created appropriate firewall rules in the gui on this alias. I chose to disable the alias from GUI as a disabled alias seems to be enough to allow me to use it in firewall rules.

The result is the same as i described:
- client asks for asfgsgagasdgfarfarerf.somedomain.com
- dnsmasq looks it up, returns to client and adds it to a pf table ALLOWTHIS
- the rule i created eralier, applies instantly

There are some caveats:
- currently the ip addresses seem to be discarded from the pf table ALLOWTHIS. I have not yet figured out if it is dnsmasq cleaning up according to the TTL, but for my purposes it is no biggie
- the client might cache the dns response and not ask opnsense at all

Title: Re: Can i create firewall rule from a wildcard dns entry?
Post by: billchurch on February 22, 2023, 09:02:45 pm

You're pretty close to perfect here. The only change you need is to use "External (advanced)" for your Alias instead of the "Hosts" alias.

Details are in this comment:
https://github.com/opnsense/core/issues/4145#issuecomment-1208889357

Title: Re: Can i create firewall rule from a wildcard dns entry?
Post by: xofer on March 03, 2023, 09:17:46 am

Well, hindsight is almost always 20-20 (my concoction is from march, Modest's from august)
but good point, yeah