Page 1 of 3 123 LastLast
Results 1 to 10 of 30
  1. #1
    Untangler
    Join Date
    Feb 2008
    Posts
    80

    Default Block or allow by hostname?

    Is there a way to block or allow traffic by the hostname instead of the IP address? I want to block or allow traffic based on a name on all ports, not just http. Is this possible?

  2. #2
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,747

    Default

    ports and IPs dont have names.

    firewall has to make a decision on the information that is available at the time of session creation.

    edit: You can do it by client "hostname", which will match if and only if the client is local and hostname is already known through some other means.
    Last edited by dmorris; 04-04-2016 at 08:26 PM.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Untangler
    Join Date
    Feb 2008
    Posts
    80

    Default

    I guess I should rephrase the question: is there a way to block traffic by domain name instead of an address? For instance, suppose I want to block google.com and all the ip's it resolves to instead of having to enter all the addresses manually and keep track of them as they change. This of course involves DNS queries to work...

  4. #4
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,396

    Default

    No, DNS based firewall rules are never allowed. This is true of any firewall worth its salt. The whys are long, sordid, and a series of been there and done that's.

    Besides, let's take the example you've just provided. The DNS queries for google.com change based on a CDN, and can rotate even among machines on the same network. So there's no way to guarantee that the DNS resolution Untangle would perform, would match the network session coming from a client behind it. Lets say nothing of the time it takes to process a firewall rule when you have to wait on a DNS query.

    The tool to bridge that gap is web filter.
    Last edited by sky-knight; 04-06-2016 at 08:06 PM.
    abailey likes this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  5. #5
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,747

    Default

    No.

    Lets play a game.
    I typed an address into my URL bar in chrome and hit enter.
    As a result, my browser opens a TCP connection (send a SYN packet) to 206.169.34.19

    You are my firewall. What did I type into my URL bar?
    You need to know this so you can make a decision.
    You can look at any information in the packet, source port, destination port, tcp flags, tcp options, etc.
    Can you answer this question?

    I'll even give you a hint... It was not "206-169-34-19.static.twtelecom.net"
    Last edited by dmorris; 04-06-2016 at 08:28 PM.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  6. #6
    Untangler
    Join Date
    Feb 2008
    Posts
    80

    Default

    OpenDNS does filtering based on DNS querying, which is kind of what I would like to see with Untangle at some level. I understand the implication of doing this with reverse lookups on IP based queries, but my principle concern was for forward lookups for things like CDNs, though not specifically for http traffic.

  7. #7
    Untangler
    Join Date
    Feb 2008
    Posts
    80

    Default

    But "no" is what I thought. I'll probably write a script to automate rule creation based on IPs from DNS. I'm more interested in white listing than black listing IPs. Some software I use contacts servers in counties I block otherwise. The IP shifts occasionally, so I have to update the rules manually.
    Last edited by blaize; 04-07-2016 at 11:07 AM.

  8. #8
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,396

    Default

    Quote Originally Posted by blaize View Post
    OpenDNS does filtering based on DNS querying, which is kind of what I would like to see with Untangle at some level. I understand the implication of doing this with reverse lookups on IP based queries, but my principle concern was for forward lookups for things like CDNs, though not specifically for http traffic.
    Congrats, you've tripped over what Web Filter does currently.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  9. #9
    Untangler
    Join Date
    Feb 2008
    Posts
    80

    Default

    Quote Originally Posted by sky-knight View Post
    Congrats, you've tripped over what Web Filter does currently.
    You obviously didn't read the post. This isn't exclusive for web filtering...

    Web filtering is easier because the hostname is sent along with the request per the HTTP 1.1 spec. This isn't the case on other protocols. If I wanted to filter HTTP, I'd be asking this question under web filtering, wouldn't I?
    Last edited by blaize; 04-07-2016 at 12:11 PM.

  10. #10
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,396

    Default

    Host names only exist within the context of a URI request via HTTP or HTTPs.

    Use of DNS resolution to provide IP addresses for a firewall rule causes problems.

    There is no "name" attached to arbitrary syn requests exiting a network.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Page 1 of 3 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2