New use case: Network Firewall Allowlists
Dhruv AHUJA
Hello
Just wanted to let the maintainers know that we've just started
using the PSL for safely allowing wildcarded allowlisting patterns
in our outbound network firewall's (egress filtering)
configuration. I believe this is an entirely new use case - not
something I've seen in other network firewalls or on your Learn
More page.
Our users are now able to configure wildcards such as
*.github.com while configuring the allowed egress domain names
(used in TLS) through our cloud security gateway. *.cloudflare.net
and *.github.io will be rejected because they're in the PSL, for
example. More on that here in our docs about this.
There are other examples such as *.s3.*.amazonaws.com which should be rejected too, and are, in our case. Had to write a custom parser (we're a Rust shop) to validate patterns with wildcards against this list as opposed to given, fully formulated FQDNs (which most libraries offered.)
I had resisted implementing the '*' in allowlists for a long time because of safety issues with their use. Users just wanted to '*' everything and tick the egress filtering box. This list has allowed us to build a much, much safer to use solution.
Any questions, please let me know.
Thanks for maintaining this list.
