Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
Can i create firewall rule from a wildcard dns entry?
« previous
next »
Print
Pages: [
1
]
Author
Topic: Can i create firewall rule from a wildcard dns entry? (Read 5385 times)
xofer
Newbie
Posts: 42
Karma: 2
Can i create firewall rule from a wildcard dns entry?
«
on:
March 25, 2022, 01:36:36 pm »
I would like to define a firewall rule from a wildcard DNS entry. This can be achieved in linux iptables.
Lets consider the scenario where I would like to block all outgoing traffic from a host, but allow only *.update.microsoft.com. I do not know the ip addresses, i do not even know the host name, only wildcard match. The ip address<>host name may change in time.
In linux this can be achieved in the following way:
1) client asks for somerandomstring.update.microsoft.com from dnsmasq
2) dnsmasq looks up the name, returns it to the client and adds it to an ipset list according to its whitelist
3) firewall iptables rule is configured to allow traffic according to the ipset list
ipset lists can be updated "behind the scenes" without any firewall reload.
Can something similar be achieved in opnsense pf?
Logged
xofer
Newbie
Posts: 42
Karma: 2
Re: Can i create firewall rule from a wildcard dns entry?
«
Reply #1 on:
March 25, 2022, 06:19:15 pm »
I know I am essentially replying to myself here, but maybe someone else needs this. It appears that dnsmasq ipset functions work (albeit totally undocumented) in BSD as well and write to a pf table using the same configuration syntax. So all i needed to do is:
add to /usr/local/etc/dnsmasq.conf.d directory a file ALLOWTHIS.conf:
Code:
[Select]
ipset=/somedomain.com/ALLOWTHIS
then I created an empty host(s) alias ALLOWTHIS from opnsense GUI and created appropriate firewall rules in the gui on this alias. I chose to disable the alias from GUI as a disabled alias seems to be enough to allow me to use it in firewall rules.
The result is the same as i described:
- client asks for asfgsgagasdgfarfarerf.somedomain.com
- dnsmasq looks it up, returns to client and adds it to a pf table ALLOWTHIS
- the rule i created eralier, applies instantly
There are some caveats:
- currently the ip addresses seem to be discarded from the pf table ALLOWTHIS. I have not yet figured out if it is dnsmasq cleaning up according to the TTL, but for my purposes it is no biggie
- the client might cache the dns response and not ask opnsense at all
Logged
billchurch
Newbie
Posts: 3
Karma: 0
Re: Can i create firewall rule from a wildcard dns entry?
«
Reply #2 on:
February 22, 2023, 09:02:45 pm »
You're pretty close to perfect here. The only change you need is to use "External (advanced)" for your Alias instead of the "Hosts" alias.
Details are in this comment:
https://github.com/opnsense/core/issues/4145#issuecomment-1208889357
Logged
xofer
Newbie
Posts: 42
Karma: 2
Re: Can i create firewall rule from a wildcard dns entry?
«
Reply #3 on:
March 03, 2023, 09:17:46 am »
Well, hindsight is almost always 20-20 (my concoction is from march, Modest's from august)
but good point, yeah
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
Can i create firewall rule from a wildcard dns entry?