Firewall PortForwarding Question

NethServer Version: 7.9
Module: Firewall / IPS

Hi

Thank you for this great tool, Its been my to go for any new homelab deployment, I have a question regarding an issue I am facing lately

I have some devices that run remotely on dynamic ip, where in the event they lost power would get a new ip or reboot. There is a way I can link these device to DDNS however I have no way to add a dynamic dns for Nethserver allow list, would only allow CDIR which is the issue I am having

Is there anyway I can lock a port forwarding allow list to DDNS instead of ips, it would be awesome if there is a way around this

Thanks for this great community and Happy Holidays

1 Like

Firewalls, as port forwarding, donā€™t understand hostnames, only IPs.
Maybe some other firewall software allow to do that but introduce at least the vulnerability about DNS Poisoning. I donā€™t know which firewall developer would do this.

1 Like

Hi @Zal

And welcome to the NethServer community.

One option you can use is Site2Site VPNs. These work quite well using either IPsec V2 or OpenVPN.
It can also work with Wireguard, but thereā€™s no GUI in NethServer for that.

And yes, all three can work with DynamicDNS names.

Youā€™ld be connected to all remote devices, and secure using VPNā€¦

My 2 cents
Andy

PS:
Pike is right, firewalls work with IPs and Ports, not with DNS names.

2 Likes

There are certain firewall models from certain firewall vendors which allows the use of hostname.

However, the preference should always be to use IP Addresses by default from a security perspective in order to prevent the obvious DNS Poisoning issue which @pike mentioned.

1 Like

A cronjob that periodically checks the domain IP and changes the firewall object accordingly is another option but not the best/safer one.
Some examples:

But VPN is safer.

1 Like

And itā€™s easier to track into logs.

1 Like

Hi

Thank you all for the help, truly appreciate it

Well the concept of using the ddns would be just so it would refresh their new ip and whitelist on that port forwarding rule, I wish there would be a way around this as vpn is the current option we have, Thanks again