Block inbound domains by wildcard fqdn

Steve_ESteve_E
in Firebox - Networking, Multi-Wan, VLAN, NAT, SD-WAN

m270 + 12.8.1

Can I make a rule to block inbound traffic using a wilcard domain ?

eg scanner1.host.tld, scanner2.host.tld, etc

Looking here, I don't think so

https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/policies/fqdn_about_c.html

When you define a domain name in your configuration, your Firebox performs forward DNS resolution for the specified domain and stores the IP address mappings. For wildcard domains such as *.example.com, the device performs forward DNS resolution on example.com and www.example.com.

Comments

  • Steve_ESteve_E

    Looks like one can. Sorry to bother you.

    FWDeny, Denied, pri=4, disp=Deny, policy=EXCEPTION-Block-Inbound-00, protocol=http/tcp, src_ip=64.62.197.17, src_port=3956, dst_ip=x.x.x.x, dst_port=80, dst_ip_nat=10.10.10.251, src_intf=EXT-BUSINESS, dst_intf=INT-BUSINESS, rc=101, pckt_len=48, ttl=46, pr_info=offset 7 S 3574765286 win 25765, 3000-0148, fqdn_src_match=shadowserver.org, geo_src=USA; geo_dst=USA

    FQDN[156:1] domainID: 5, shadowserver.org(shadowserver.org), refcnt: 1, Status: Perfect
    FQDN[156:1] IP Count: 24 , Sub-label: 23 , total-adding=32 , total-deleting=8 , total-earlydrop=0
    FQDN[156:1] Type: wildcard , Duration: 0 (s)
    FQDN[156:1] NS: ns3.shadowserver.org(64.71.137.250), AA-Min-TTL: 3600, Duration: 0 (s), Update-count: 1
    FQDN[156:1] TTL: 3600(s), Flag: 00000600
    FQDN[156:1] In groups: fqdn:pol_35_from,

    Index Address TTL TTL-PKT AA Expiration FLAG Label CNAME
    [001] 64.62.197.2 3600 3600 AA remain 0h:30m:4s 00000057 scan-36a
    [002] 64.62.197.17 3600 3600 AA remain 0h:30m:4s 00000057 scan-44a

    snip

  • TestingTesterTestingTester

    To be sure you get it....

    ^[0-9a-zA-Z_-.]{1,256}.DOMAIN-HERE.com/

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Steve_E
    You can, however the firewall will convert it to an IP table (as you noted in your FQDN dump in your reply.) If it's a shared hosting service (think any service you can pay to host a webpage that doesn't give you a dedicated IP) you could potentially deny traffic to/from other hosts if they also resolve to those IPs.

    -James Carson
    WatchGuard Customer Support

  • Steve_ESteve_E

    So if I want to drop someone using shared hosting from getting in, what kind of rule works for that?

  • Bruce_BriggsBruce_Briggs

    No such ability.
    The blocks are done by IP address.
    One either blocks all from that IP addr or allows all from that IP addr.

Sign In to comment.