Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:firewall:filtering_traffic_at_ip_addresses_by_dns [2022/12/29 15:31] pliniosenioredocs:guide-user:firewall:filtering_traffic_at_ip_addresses_by_dns [2024/01/13 12:53] – [Improvements] plinioseniore
Line 1: Line 1:
 ====== fw4 Filtering traffic with IP sets by DNS ====== ====== fw4 Filtering traffic with IP sets by DNS ======
-{{section>meta:infobox:howto_links#cli_skills&noheader&nofooter&noeditbutton}}+{{section>meta:infobox:howto_links#basic_skills&noheader&nofooter&noeditbutton}}
  
 ===== Introduction ===== ===== Introduction =====
Line 19: Line 19:
 ===== [CASE 1] Command-line instructions =====  ===== [CASE 1] Command-line instructions ===== 
  
-Install //dnsmasq-full// as follow+Install //dnsmasq-full// as follows
  
 <code bash> <code bash>
-opkg update +opkg updatecd /tmp/ && opkg download dnsmasq-full; opkg install ipset libnettle8 libnetfilter-conntrack3; 
-cd /tmp/ && opkg download dnsmasq-full +opkg remove dnsmasqopkg install dnsmasq-full --cache /tmp/rm -f /tmp/dnsmasq-full*.ipk;
-opkg remove dnsmasq +
-opkg install dnsmasq-full --cache /tmp/ +
-rm -f /tmp/dnsmasq-full*.ipk+
 </code> </code>
  
Line 37: Line 34:
 A valid result should looks like //dnsmasq-full - 2.88-1// A valid result should looks like //dnsmasq-full - 2.88-1//
  
-In ///etc/rc.local// add the below code to create the **nft set** in which we will save the IP addresses, the proposed code is **ipv4** only but can be extended to cover **ipv6**+In ///etc/hotplug.d/iface/20-firewall// add the below code to create the **nft set** in which we will save the IP addresses, the proposed code is **ipv4** only but can be extended to cover **ipv6**
  
 <code bash> <code bash>
Line 45: Line 42:
 nft insert rule inet fw4 forward_wildlan ip daddr @blackhole accept nft insert rule inet fw4 forward_wildlan ip daddr @blackhole accept
 </code> </code>
- 
-In some cases a //sleep 10// between the two commands can be required. 
  
 The //wildlan// zone has no access to internet unless the target IP address is listed in //blackhole//, with //dnsmasq 2.87// we can have that resolved IPs are automatically added to a set. The //wildlan// zone has no access to internet unless the target IP address is listed in //blackhole//, with //dnsmasq 2.87// we can have that resolved IPs are automatically added to a set.
Line 57: Line 52:
 nftset=/second.allowed.urls/4#inet#fw4#blackhole nftset=/second.allowed.urls/4#inet#fw4#blackhole
 ... ...
 +</code>
 +
 +Looking to the case in which you want to ensure that only IP addresses resolved via your DNS are allowed, then use # wildcard. This make sense if you want avoid access via direct IP without a filter for specific URLs.
 +
 +<code bash>
 +nftset=/#/4#inet#fw4#blackhole
 </code> </code>
  
Line 69: Line 70:
 This applies only for //OpenWrt 22.03//, //OpenWrt 22.03.1// and //OpenWrt 22.03.2// that have an older release of //dnsmasq//. In this case we cannot use //dnsmasq// to automatically fill the IP addresses in the set, so this have to be done with a script. This applies only for //OpenWrt 22.03//, //OpenWrt 22.03.1// and //OpenWrt 22.03.2// that have an older release of //dnsmasq//. In this case we cannot use //dnsmasq// to automatically fill the IP addresses in the set, so this have to be done with a script.
  
-In ///etc/rc.local// add the below code to create the **nft set** in which we will save the IP addresses, the proposed code is **ipv4** only but can be extended to cover **ipv6**+In ///etc/hotplug.d/iface/20-firewall// add the below code to create the **nft set** in which we will save the IP addresses, the proposed code is **ipv4** only but can be extended to cover **ipv6**
  
 <code bash> <code bash>
Line 97: Line 98:
 Based on this forward chain only the traffic with destination to the IP addresses included in @blackhole will be allowed. Based on this forward chain only the traffic with destination to the IP addresses included in @blackhole will be allowed.
  
-The //rc.local// is executed at boot time, so that @blackhole will be filled with IP addresses only at that stage. That **set** shall be periodically updated for two reasons:+The ///etc/hotplug.d/iface/20-firewall// is executed at any change of any interface (so mostly at boot time), so that @blackhole will be filled with IP addresses only at that stage. That **set** shall be periodically updated for two reasons:
 1. The IP addresses may change 1. The IP addresses may change
 2. In case of DNS Load Balancing, the same DNS query will result in different IP addresses (all valid) based on time of request. 2. In case of DNS Load Balancing, the same DNS query will result in different IP addresses (all valid) based on time of request.
Line 106: Line 107:
 </code> </code>
  
-In the ///etc/sets-ipdns/update-sets.sh// include the update of sets code from ///etc/rc.local//+In the ///etc/sets-ipdns/update-sets.sh//
  
 <code bash> <code bash>
Line 132: Line 133:
  
 In //CASE 2// the script will periodically query the DNS with all domains included in ///etc/sets-ipdns/wildlan-urls.list// so that list should be reasonably small. In //CASE 2// the script will periodically query the DNS with all domains included in ///etc/sets-ipdns/wildlan-urls.list// so that list should be reasonably small.
 +
 +===== Next Improvements =====
 +
 +The command line instructions are included in ///etc/hotplug.d/iface/20-firewall// that trigger a rebuild of the firewall configuration at each change of any interface. Anyhow this is not trigged when a UCI/LUCI firewall change is applied. So at any change in the firewall configuration the rebuild will not involve the custom rules included in ///etc/hotplug.d/iface/20-firewall//, as result connectivity of devices that rely on this will be lost.
 +
 +The rules will be reapplied at next change in status of any interface, that could also be trigged on purpose to rebuild the rules.
 +
 +If in next released will be included a custom file for NFT commands that is trigged at any firewall rebuild, this problem will be solved.
  • Last modified: 2024/05/27 21:51
  • by systemcrash