Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:firewall:filtering_traffic_at_ip_addresses_by_dns [2022/12/30 19:14] pliniosenioredocs:guide-user:firewall:filtering_traffic_at_ip_addresses_by_dns [2024/01/13 12:53] – [Improvements] plinioseniore
Line 1: Line 1:
 ====== fw4 Filtering traffic with IP sets by DNS ====== ====== fw4 Filtering traffic with IP sets by DNS ======
-{{section>meta:infobox:howto_links#cli_skills&noheader&nofooter&noeditbutton}}+{{section>meta:infobox:howto_links#basic_skills&noheader&nofooter&noeditbutton}}
  
 ===== Introduction ===== ===== Introduction =====
Line 19: Line 19:
 ===== [CASE 1] Command-line instructions =====  ===== [CASE 1] Command-line instructions ===== 
  
-Install //dnsmasq-full// as follow+Install //dnsmasq-full// as follows
  
 <code bash> <code bash>
-opkg update +opkg updatecd /tmp/ && opkg download dnsmasq-full; opkg install ipset libnettle8 libnetfilter-conntrack3; 
-cd /tmp/ && opkg download dnsmasq-full +opkg remove dnsmasqopkg install dnsmasq-full --cache /tmp/rm -f /tmp/dnsmasq-full*.ipk;
-opkg remove dnsmasq +
-opkg install dnsmasq-full --cache /tmp/ +
-rm -f /tmp/dnsmasq-full*.ipk+
 </code> </code>
  
Line 37: Line 34:
 A valid result should looks like //dnsmasq-full - 2.88-1// A valid result should looks like //dnsmasq-full - 2.88-1//
  
-In ///etc/rc.local// add the below code to create the **nft set** in which we will save the IP addresses, the proposed code is **ipv4** only but can be extended to cover **ipv6**+In ///etc/hotplug.d/iface/20-firewall// add the below code to create the **nft set** in which we will save the IP addresses, the proposed code is **ipv4** only but can be extended to cover **ipv6**
  
 <code bash> <code bash>
Line 55: Line 52:
 nftset=/second.allowed.urls/4#inet#fw4#blackhole nftset=/second.allowed.urls/4#inet#fw4#blackhole
 ... ...
 +</code>
 +
 +Looking to the case in which you want to ensure that only IP addresses resolved via your DNS are allowed, then use # wildcard. This make sense if you want avoid access via direct IP without a filter for specific URLs.
 +
 +<code bash>
 +nftset=/#/4#inet#fw4#blackhole
 </code> </code>
  
Line 67: Line 70:
 This applies only for //OpenWrt 22.03//, //OpenWrt 22.03.1// and //OpenWrt 22.03.2// that have an older release of //dnsmasq//. In this case we cannot use //dnsmasq// to automatically fill the IP addresses in the set, so this have to be done with a script. This applies only for //OpenWrt 22.03//, //OpenWrt 22.03.1// and //OpenWrt 22.03.2// that have an older release of //dnsmasq//. In this case we cannot use //dnsmasq// to automatically fill the IP addresses in the set, so this have to be done with a script.
  
-In ///etc/rc.local// add the below code to create the **nft set** in which we will save the IP addresses, the proposed code is **ipv4** only but can be extended to cover **ipv6**+In ///etc/hotplug.d/iface/20-firewall// add the below code to create the **nft set** in which we will save the IP addresses, the proposed code is **ipv4** only but can be extended to cover **ipv6**
  
 <code bash> <code bash>
Line 95: Line 98:
 Based on this forward chain only the traffic with destination to the IP addresses included in @blackhole will be allowed. Based on this forward chain only the traffic with destination to the IP addresses included in @blackhole will be allowed.
  
-The //rc.local// is executed at boot time, so that @blackhole will be filled with IP addresses only at that stage. That **set** shall be periodically updated for two reasons:+The ///etc/hotplug.d/iface/20-firewall// is executed at any change of any interface (so mostly at boot time), so that @blackhole will be filled with IP addresses only at that stage. That **set** shall be periodically updated for two reasons:
 1. The IP addresses may change 1. The IP addresses may change
 2. In case of DNS Load Balancing, the same DNS query will result in different IP addresses (all valid) based on time of request. 2. In case of DNS Load Balancing, the same DNS query will result in different IP addresses (all valid) based on time of request.
Line 104: Line 107:
 </code> </code>
  
-In the ///etc/sets-ipdns/update-sets.sh// include the update of sets code from ///etc/rc.local//+In the ///etc/sets-ipdns/update-sets.sh//
  
 <code bash> <code bash>
Line 131: Line 134:
 In //CASE 2// the script will periodically query the DNS with all domains included in ///etc/sets-ipdns/wildlan-urls.list// so that list should be reasonably small. In //CASE 2// the script will periodically query the DNS with all domains included in ///etc/sets-ipdns/wildlan-urls.list// so that list should be reasonably small.
  
-The //nft// commands in //etc/rc.local// can be overwritten by uci or in case of restart of the interfaces.+===== Next Improvements ===== 
 + 
 +The command line instructions are included in ///etc/hotplug.d/iface/20-firewall// that trigger a rebuild of the firewall configuration at each change of any interface. Anyhow this is not trigged when a UCI/LUCI firewall change is applied. So at any change in the firewall configuration the rebuild will not involve the custom rules included in ///etc/hotplug.d/iface/20-firewall//, as result connectivity of devices that rely on this will be lost. 
 + 
 +The rules will be reapplied at next change in status of any interface, that could also be trigged on purpose to rebuild the rules. 
 + 
 +If in next released will be included a custom file for NFT commands that is trigged at any firewall rebuild, this problem will be solved.
  • Last modified: 2024/05/27 21:51
  • by systemcrash