Firewall with rules by Hostname?

[twoeyes]

Hi Everyone.

I've been looking for an easy to use software based (hopefully open source) firewall package that will allow one to create rules based on hostname, rather than IP address. The reason being, that I would like to define rules for some users that are on dynamic IP's (using something like dns2go to get a "static" hostname). Any recommendations? Bonus points for a package that is web-configured, and supports VPN connections.

Thanks in advance!

Regards,

Leonard.

Check out my irrelevant personal website:

http://www.lc.yi.org

 

[SgtB]

So you'd want your firewall to make a DNS query for every packet that runs through your firewall? Is that what you're saying????
Well, it probably wouldn't do it for everypacket. It could seriously slow down your firewall though. If you put the rule right at the bottom of your ruleset it might work out alright for you.
Unfortunately, I've never heard of such a feature on a firewall. I'm not saying it doesn't exist, just saying I've never heard of one.
If you do find one though. Post here, as I'd like to play around with that as well.

Cool upcoming game! Check it out!

http://www.planetside-universe.com

!

 

[PcLinuxGuru]

You can do it with IP Tables ie block yahoo.com.... Although I believe it slowed everything down tremendously and there are some things to think about. Normally everything is flushed and then the iptables is loaded.... So you would have to make sure that:

1) The DNS servers you are using never ever go down and are always current.

2) Always allow tcp/udp port 53

A decent GUI that I have found is called Firestarter it is a GUI for Iptables/Ipchains.

http://firestarter.sourceforge.net

The hostnames idea is in the man pages for Iptables and here is the excerpt:


TARGETS
...skipping...
hostname (please note that specifying any name to be resolved with a remote query such as DNS is a really bad idea), a network IP address (with /mask), or a plain IP address. .....

 

[Grenage]

Isn't this Proxy Territory ?

 

[PcLinuxGuru]

Well I use a proxy because the DNS queries were significant enough to slow everything down.... But he asked a question and there is his answer.

 

[twoeyes]

Hi.

Thanks for the responses. I realize a hostname lookup will probably slow down traffic, particularly on a busier firewall... but in our specific situation, it probably wouldn't be an issue (besides, I'd expect that DNS queries would be cached within the firewall machine one way or another).

I'm thinking about allowing only a few rules to users who have a dynamic IP address for web, pop3, VPN, possibly a few other ports. Rather than open them up to the world, I'm much more comfortable limiting the acdess by hostname (via and one of the dynamic DNS services).

I do know that Symantec Personal Firewall can define rules in this manner... but that's a different class of application than what I need now.

Anyway, I didn't realize that Linux iptables had some support for this... I will look into it further.

Again, thanks all.


Leonard.

Check out my irrelevant personal website:

http://www.lc.yi.org

 

[Ntr0P]

Have you considered instead some type of authentication, or do you prefer something transparent?

 

[twoeyes]

NtrOP,

It would often be both actually. For a variety of reasons, I'd rather not leave ports open to the net at large. For instance, for VPN, I have very little confidence in peoples ability to 1) keep strong passwords or 2) not write aforementioned strong passwords down on a sticky note. =)

Also, things like web (intranet)... I wouldn't trust every page or web to have proper security. So, restricting by IP address is a reasonable compromise for our particular situation.

LC



Check out my irrelevant personal website:

http://www.lc.yi.org