12

I'm trying to allow a service to a set of machines via Windows Firewall. I'd like to add my home machine to the firewall but my home machine has a dynamic ip address. I use dyndns so that I have a hostname which I can always connect to. So I'm trying to see if there is a way I can use my hostname instead of an IP.

Thanks

Update

Let me add a little more information, perhaps there are other ways to resolve my issue. The server is a web server hosted by RackSpace. I only want to allow RDP access from my work (static IP, so no problem) and home (dynamic). My home IP doesn't change too often, just often enough to annoy me. So maybe there is a better way to do this... maybe VPN?

Denny Ferrassoli
  • 221
  • 1
  • 2
  • 5

5 Answers5

3

Here are a few options:

  • Instead of using a single IP address, use your entire dynamic port range assigend to you by your ISP. That'll limit your exposure to machines in your vicinity.
  • Use an SSL tunnel to connect to the machine and limit RDP connections to the local host. That'll be much safer but it will also make it a bit more complex to connect since you'll need to establish the tunnel first. You can also mandate client certificates for connections which will make it very secure without requiring you to limit the accept IP range for incoming connections. stunnel can do this kind of things for you. Or ncat.
  • In last resort, try creating a VPN to your machine using IPSec. It's complex to setup and not too easy to pass through firewalls, though.
Stephane
  • 6,382
  • 3
  • 25
  • 47
1

Why don't you just VPN to work and RDP to your work machine and connect to the rackspace server through there. I hop and tunnel through other clients all the time.

Tatas
  • 2,091
  • 1
  • 13
  • 19
0

As far as I know, you cannot do that unless you write a script to do the lookup and adjust the rule.

But in all honesty, you shouldn't do that: DNS isn't really a secure service unless you're using DNSSEC (which I doubt). In adition, you shouldn't need to do that, really, unless you have restriction on your outbound connections from an external machine. What are you really trying to do here ?

Stephane
  • 6,382
  • 3
  • 25
  • 47
  • What does that second paragraph have to do with the question? It looks as if you're answering a different question entirely. – John Gardeniers Sep 13 '10 at 11:17
  • I agree with John. I couldn't make any sense of your second paragraph or how it relates to the question. – joeqwerty Sep 13 '10 at 11:59
  • Sorry if it isn't clear. My points are 1/ You shouldn't use DNS lookup to build your firewall rules because that's a very easy way for an external party to control what these rules do. 2/ I can't think of any setup where this would be required unless you're talking about outbound connections. Since I don't really understand the setup the OP described (what machine is trying to connect to what other machine) and since there isn't really much point in controlling outbound connection on a local machine, I'm asking what exactly he's trying to do. Is that description better ? – Stephane Sep 13 '10 at 12:05
  • I've updated my question with more information. – Denny Ferrassoli Sep 13 '10 at 17:57
  • @Stephane DSN rules are not so easy to control if a lookup is performed twice: reverse/forward and the results are mandatory to match. – Veniamin Oct 25 '13 at 07:08
  • @Veniamin I won't go into the details about how DNS can be subverted be rest assured that performing the same query twice does not add anything to the "security" of the system. – Stephane Oct 25 '13 at 07:19
  • @Stephane I never said that the same query should be performed twice. I said that forward and reverse lookups should match. This way you can not clime to be www.microsoft.com since forward lookup for www.microsoft.com will not return your address. Men-in-the-meadle attack is hardly probable for DNS in most modern environment. But I agree with you that DNS rules have potential security issues that should be aware of and your initial remark is helpful. – Veniamin Oct 28 '13 at 11:31
  • @Veniamin checking the PTR doesn't really improve security on the principle since you've already decided that DNS has been subverted. There is a mechanism to make DNS secure (well, more secure) that doesn't relies on random assumptions: DNSSEC. Frankly, anyone trying to build a secure solution that relies on DNS being secure should invest in DNSSEC. – Stephane Oct 28 '13 at 13:30
  • "...unless you write a script to do the lookup and adjust the rule." How would you script this? I found scripts to create / disable rules but none to adjust a rule... – Andrew Bucklin May 05 '14 at 02:37
  • @Stephane, http://help.ovh.com/Firewall#link2 is an example situation where dns rule is even required by webhost: they ask to allow their internal monitoring servers through their dns names. (Hopefully those names are internally resolved when requester is hosted by them, otherwise that would be quite lame.) I guess they want to be free of adding new monitoring servers without having to ask their customers to adjust their firewall rules. – Frédéric Mar 25 '15 at 15:30
0

This kind of thing really should be done on the perimeter firewall, not the server firewall. Having said that, I'm not aware of a satisfactory way to do what you are after. It would be far preferable in this instance to use a technique that doesn't rely on prior knowledge of the source address. Port knocking would be a good technique to employ but I don't know if that is readily achievable on Windows.

John Gardeniers
  • 27,262
  • 12
  • 53
  • 108
0

Does Rackspace support IPv6? If so you can get a static v6 assignment from a tunnel broker (e.g. Hurricane Electric or SixXS) for your home machine.

Gerald Combs
  • 6,331
  • 23
  • 35