12

I'm trying to allow a service to a set of machines via Windows Firewall. I'd like to add my home machine to the firewall but my home machine has a dynamic ip address. I use dyndns so that I have a hostname which I can always connect to. So I'm trying to see if there is a way I can use my hostname instead of an IP.

Thanks

Update

Let me add a little more information, perhaps there are other ways to resolve my issue. The server is a web server hosted by RackSpace. I only want to allow RDP access from my work (static IP, so no problem) and home (dynamic). My home IP doesn't change too often, just often enough to annoy me. So maybe there is a better way to do this... maybe VPN?

Denny Ferrassoli
  • 221
  • 1
  • 2
  • 5

5 Answers5

3

Here are a few options:

  • Instead of using a single IP address, use your entire dynamic port range assigend to you by your ISP. That'll limit your exposure to machines in your vicinity.
  • Use an SSL tunnel to connect to the machine and limit RDP connections to the local host. That'll be much safer but it will also make it a bit more complex to connect since you'll need to establish the tunnel first. You can also mandate client certificates for connections which will make it very secure without requiring you to limit the accept IP range for incoming connections. stunnel can do this kind of things for you. Or ncat.
  • In last resort, try creating a VPN to your machine using IPSec. It's complex to setup and not too easy to pass through firewalls, though.
Stephane
  • 6,482
1

Why don't you just VPN to work and RDP to your work machine and connect to the rackspace server through there. I hop and tunnel through other clients all the time.

Tatas
  • 2,099
0

As far as I know, you cannot do that unless you write a script to do the lookup and adjust the rule.

But in all honesty, you shouldn't do that: DNS isn't really a secure service unless you're using DNSSEC (which I doubt). In adition, you shouldn't need to do that, really, unless you have restriction on your outbound connections from an external machine. What are you really trying to do here ?

Stephane
  • 6,482
0

This kind of thing really should be done on the perimeter firewall, not the server firewall. Having said that, I'm not aware of a satisfactory way to do what you are after. It would be far preferable in this instance to use a technique that doesn't rely on prior knowledge of the source address. Port knocking would be a good technique to employ but I don't know if that is readily achievable on Windows.

John Gardeniers
  • 27,844
0

Does Rackspace support IPv6? If so you can get a static v6 assignment from a tunnel broker (e.g. Hurricane Electric or SixXS) for your home machine.

Gerald Combs
  • 6,591