Results 1 to 8 of 8
  1. #1
    Untangler
    Join Date
    Aug 2008
    Posts
    32

    Default Feature Request - Port Forward Rules - Source Address by FQDN

    I work for an MSP and we have Untangle running at quite a few of our clients' offices. We have certain port forward rules where the Source Address is our Static IP at our office. However, if we were to move offices, we would need to go in to those Untangles and update those rules with our new Static IP.

    Has there been any discussion around allowing FQDN instead of just IP Addresses under the Source Address for Port Forward Rules? It would be nice for us to have office1.domain.com in the Port Forward Rule.

  2. #2
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    9,625
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,033

    Default

    The only way this could be done, is to have the UI translate the FQDN via a DNS dig into a list of IP addresses. However, the UVM would have to have some sort of scheduled event to reevaluate this rule on a consistent basis, and whatever delay is used will be a window of failure when the information changes.

    Firewalls do not use DNS to configure security sensitive rules. They never have, and the reasons why are they basically make firewalls pointless.

    The answer to this situation is to provide a backdoor to a network that operates independently of the firewall. MSP software such as Continuum or nAble do this via the agents installed on platforms. In the event that service access firewall rules need to change because the MSP's office address, or something else changes, manual changes of the devices are required. This is a cost of doing business, please stop being lazy.

    Oh wait... I forgot... the MSP business model is to be lazy... ok well this lazy is bad because you're a DNS cache poisoning attack away from compromising your client's network. Protect them, spend the time, that's what they pay you for.

    Of course if Untangle had centralized management, it might be able to just make one rule change that propagated to N devices... that would solve this problem too. (Some of us have been waiting since 2008 for this)
    Last edited by sky-knight; 12-10-2016 at 11:23 AM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  4. #4
    Untangler
    Join Date
    Aug 2008
    Posts
    32

    Default

    Quote Originally Posted by jcoffin View Post
    Thanks for pointing me to this, I appreciate it.

  5. #5
    Untangler
    Join Date
    Aug 2008
    Posts
    32

    Default

    Quote Originally Posted by sky-knight View Post
    The only way this could be done, is to have the UI translate the FQDN via a DNS dig into a list of IP addresses. However, the UVM would have to have some sort of scheduled event to reevaluate this rule on a consistent basis, and whatever delay is used will be a window of failure when the information changes.

    Firewalls do not use DNS to configure security sensitive rules. They never have, and the reasons why are they basically make firewalls pointless.

    The answer to this situation is to provide a backdoor to a network that operates independently of the firewall. MSP software such as Continuum or nAble do this via the agents installed on platforms. In the event that service access firewall rules need to change because the MSP's office address, or something else changes, manual changes of the devices are required. This is a cost of doing business, please stop being lazy.

    Oh wait... I forgot... the MSP business model is to be lazy... ok well this lazy is bad because you're a DNS cache poisoning attack away from compromising your client's network. Protect them, spend the time, that's what they pay you for.

    Of course if Untangle had centralized management, it might be able to just make one rule change that propagated to N devices... that would solve this problem too. (Some of us have been waiting since 2008 for this)
    Your response was neither helpful nor respectful. There is no need to call someone you don't know "lazy".

  6. #6
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,033

    Default

    I didn't call you lazy, I said the MSP business model is lazy.

    And I own an MSP too... So therefore, I too am lazy. It's part of the job. You want to spend as little time as possible on anything, that's lazy. It's also smart.

    I was however making light of your feature suggestion that's been made 100 times before if you'd bothered to use the search feature. But you didn't so I opted for a bit of fun.

    Ok, so you didn't enjoy it. That's fine, serious mode here.

    Firewall or NAT configurations based on DNS names are monstrously bad for a ton of reasons. If you wish to know why, please google on the subject, there are tomes of network security texts and articles out there going over the material.

    However, that doesn't change the needs of your MSP, and maintaining potentially hundreds of specific rules linked to your enterprise. The feature that you really need is central management of Untangle servers. With it, you could push a single configuration change to 100 servers. Sadly, Untangle doesn't have this feature. Why it doesn't have it is a long story too.

    These days I'd be happy if I just had a single pane of glass on my Untangle account that could point me at all of my Untangle servers. But the ability to edit configurations in mass? That's very convenient, but it's also terribly risky. Untangle is a UVM after all, and as a security appliance do you really want admin keys sitting in a datacenter full of other admin keys? You know, like Cisco does with Meraki, so it can be hacked like Meraki does?

    Network Security... it's not easy. That's why we get paid.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  7. #7
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,747
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  8. #8
    Untangler
    Join Date
    Aug 2008
    Posts
    32

    Default

    Quote Originally Posted by dmorris View Post
    Thanks for this, it makes a lot of sense as to why it shouldn't/can't be done.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2