Firewall allow access to dyn dns clients

Discussion in 'Mac OS X Server, Xserve, and Networking' started by madtomt, Nov 14, 2012.

  1. madtomt macrumors newbie

    Nov 14, 2012
    one of our home workers needs access via our firewall.

    He has a dynamic IP Address that changes every few weeks.
    he also has a dynamic domain name that updates to the correct IP address when the address changes.

    Is there anyway to allow him access via the firewall based on his dynamic name not his IP Address ?

    at this point VPN is not possible.
  2. switon macrumors 6502a

    Sep 10, 2012

    Hi madtomt,

    What kind of access do you wish your home workers to have? You say that VPN is not possible, then is it FTP, SSH, web, Calendar, Contacts, ...?

    Say your home workers need ssh access which requires strong authentication and encrypts all traffic, but you don't want to open port 22 through your firewall since then the "trial-and-error" hackers will hit on port 22 trying every common username/password in an attempt to break in. One way around this is to obfuscate your SSH port number, that is, pick a different port for ssh (set in the ssh and daemon config files), hopefully one that is not used for something else that is important to you. Your home workers would then have SSH access on a port that is not the standard 22. This will eliminate all of those automated ssh guessing attacks since those are always directed to port 22.

    Say your home workers need web access, then use SSL on port 443 (https) and require strong authentication so the home workers must login to gain access to your web server. Once again all traffic is encrypted and thus more secure.

    Say your home workers need ftp access, then I would have them use sftp instead (much more secure than ftp) and again change the port from the standard 22 to some non-standard port.

    And finally, why not use VPN with its strong authentication and encryption which makes all other types of access much more secure. For instance, say your home workers need jabber access for video conferencing, then if they VPN in to your server and you run your own jabber server (iChat, Messages, XMPP), then the video communication can be encrypted and thus secure. I like VPN as being one of the more secure ways to allow workers through your corporate firewall.

    So, I apologize for the longwinded answer, but without further information on the type of access needed then it is difficult for me to answer. As you can see, different types of access may have different solutions.

    Lastly, if you only have one worker whose IP address and hostname change, then why not have him get a hostname from or some other dynamic hostname service. His dyndns hostname would then be constant even though his ISP assigned IP and hostname changes. You then allow his constant assigned hostname through your firewall: your firewall checks the IP address assigned to the hostname and then writes a firewall rule allowing this IP address.

  3. madtomt thread starter macrumors newbie

    Nov 14, 2012
    Many thanks for your excellent reply :D

    There is only on home user, who does have a dynamic domain name which is constantly updated with his correct IP Address.

    He needs full access to the network, ssh, ftp, web and access to files on the servers.

    Before he changed ISP he had a static IP Address this was added to the firewall and he had the access he needed. The new ISP issues dynamic IP Address and this has caused the issue.

    How do we add his domain name to the servers firewall to allow him access ?

    thanks again.
  4. switon, Nov 15, 2012
    Last edited: Nov 15, 2012

    switon macrumors 6502a

    Sep 10, 2012
    Re vpn...


    Given that your home worker needs access to numerous services, including it sounds like AFP or SMB for network disks, then why not use VPN? This is secure and provides encrypted communications. Once your home worker has VPNed into your network, he/she then has full access to all of the other services.

    I would just use a VPN server that can be configured to only allow your single home worker the ability to login via VPN. It doesn't really matter what his/her IP address is, only that he/she uses strong authentication to VPN into your network. This is by far the easiest route to take, in my opinion, and also potentially the most secure too.

    Barring that, then opening your firewall for a single user can be accomplished in many different ways, partly depending upon what OSX version you are running for your firewall. Since there are so many different options, I'll just point out a possible general strategy/approach (you will need to fill in the details for your particular server's firewall, and since you have already written a rule for your firewall for his old static IP address, this should not be too difficult to accomplish, only now you will have to automate it in a shell file that runs at boot and perhaps also daily):

    Use "nslookup" (or similar Terminal command) to find the worker's IP address:

    nslookup UsersHostNoIPcom-DNSname | grep -i address

    where "UsersHostNoIPcom-DNSname" is obviously the DNS name.
    This command returns lines with the worker's IP address (potentially the second line). Use "awk" and "cut" to filter out the worker's actual IP address from the rest. Once you have the IP address, then you can use "pfctl" to write a specific rule to allow that IP or, even better, use "afctl" to add the IP address to the "whitelist" of IP addresses that your firewall will not block. Force afctl into a running state, and your worker should have access through your firewall. If you are not familiar with these commands, the man pages will be helpful, i.e., "man afctl" for instance.


    P.S. I still think that the VPN solution is not only simpler but also more secure than opening your firewall to a single IP address (that can be spoofed) and allowing the insecure ftp. Just my opinion, of course.
  5. madtomt thread starter macrumors newbie

    Nov 14, 2012
    Thanks again for the help :)

    The users IP seems to change every week or so, so having to manually re add a new IP Address is a bit of a pain.

    Can we add the address which resolves back to him correctly to the firewall ?
  6. dazey macrumors 6502

    Dec 9, 2005
    what you are doing is inherently insecure and you are leaving your network (very) open to attack. Ip addresses can be spoofed. You should transition to VPN which will make your network secure and solve your problem.
  7. switon macrumors 6502a

    Sep 10, 2012
    RE: shell scripts run by launchd (init) and daily (cron)...


    I'm not suggesting that you do this manually...rather that you write a shell script to execute automatically at boot and, say, once a day, to add his/her IP address to the whitelist for afctl. Unfortunately afctl requires an IP address, not a DNS name, for its whitelist. And as I attempted to point out, it only takes a couple commandlines in a shell script to determine his/her IP address and add it to the firewall's whitelist.

    Once again, however, VPN would be more secure and so much easier to implement for your home worker. Not only that, but once implemented you could then open VPN service to all of your home workers without having to write special firewall rules for each one. Encrypted VPN communication with strong authentication is really the way to go, and the vast majority of businesses with similar requirements for "external connections to internal networks" use VPN. You haven't stated why VPN does not work for you, and since you are already running a number of other services (ftp, ssh, web, afp, smb, etc.), adding vpn should be relatively easy.

    Good luck,

Share This Page