Jump to content

Firewall - Allowing/Denying using FQDN/DNS Name


Recommended Posts

Hi

 

Nowadays most larger enterprises use load-balancing, high-availability and other technologies to keep their service available.

 

Which means that one FQDN can have multiple IP addresses. Today ESET SmartSecurity Firewall operates at a per IP basis.

Blocking many IPs (more than 2-3 for example) with the same name is quite annoying. Please implement this change to firewall.

 

If there's a correct place to suggest features, point me there.

 

Thanks

Link to comment
Share on other sites

  • Administrators

That's tricky if not impossible. Firewall inspects packets where only information about IP addresses is available. In order to make possible what you suggest, ekrn would have to resolve hostnames to IP addresses on startup. If IP addresses were changed in the mean time, rules with hostnames would become invalid until the next computer restart.

Link to comment
Share on other sites

Blocking many IPs (more than 2-3 for example) with the same name is quite annoying. Please implement this change to firewall.

If the issue is blocking by domain name, you can do that using the web filtering feature. Just enable the block list and add the domain you want to block to it.
Link to comment
Share on other sites

  • 5 months later...

That's tricky if not impossible. Firewall inspects packets where only information about IP addresses is available. In order to make possible what you suggest, ekrn would have to resolve hostnames to IP addresses on startup. If IP addresses were changed in the mean time, rules with hostnames would become invalid until the next computer restart.

 

Any plans to give us option to use FQDN in firewall rules?

Link to comment
Share on other sites

Which firewall has such functionality? Packets contain IP addresses, not domain names.

 

To be honest don't know any. So far I was able to create firewall rules based on fqdn only on hardware firewalls.

 

The problem I have is that I need to prevent users from accessing any ip/port except for Microsoft Windows Update servers and there only 80/443.

But finding ip addresses for them is nearly impossible...so at v5 I'm left with option to enter IP, IP range or subnet (would be nice if you gave IP list option).

On v6 you gave option to control access on firewall for services so I plan to use that once we migrate to v6 and allow windows update service.

Edited by bbahes
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...