Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:firewall:filtering_traffic_at_ip_addresses_by_dns [2022/12/31 18:01] – plinioseniore | docs:guide-user:firewall:filtering_traffic_at_ip_addresses_by_dns [2024/01/13 12:53] – [Improvements] plinioseniore | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== fw4 Filtering traffic with IP sets by DNS ====== | ====== fw4 Filtering traffic with IP sets by DNS ====== | ||
| - | {{section> | + | {{section> |
| ===== Introduction ===== | ===== Introduction ===== | ||
| Line 19: | Line 19: | ||
| ===== [CASE 1] Command-line instructions ===== | ===== [CASE 1] Command-line instructions ===== | ||
| - | Install // | + | Install // |
| <code bash> | <code bash> | ||
| - | opkg update | + | opkg update; cd /tmp/ && opkg download dnsmasq-full; opkg install ipset libnettle8 libnetfilter-conntrack3; |
| - | cd /tmp/ && opkg download dnsmasq-full | + | opkg remove dnsmasq; opkg install dnsmasq-full --cache /tmp/; rm -f / |
| - | opkg remove dnsmasq | + | |
| - | opkg install dnsmasq-full --cache /tmp/ | + | |
| - | rm -f / | + | |
| </ | </ | ||
| Line 55: | Line 52: | ||
| nftset=/ | nftset=/ | ||
| ... | ... | ||
| + | </ | ||
| + | |||
| + | Looking to the case in which you want to ensure that only IP addresses resolved via your DNS are allowed, then use # wildcard. This make sense if you want avoid access via direct IP without a filter for specific URLs. | ||
| + | |||
| + | <code bash> | ||
| + | nftset=/#/ | ||
| </ | </ | ||
| Line 131: | Line 134: | ||
| In //CASE 2// the script will periodically query the DNS with all domains included in /// | In //CASE 2// the script will periodically query the DNS with all domains included in /// | ||
| - | ===== Improvements ===== | + | ===== Next Improvements ===== |
| - | Previous version of this wiki page use // | + | The command line instructions are included in /// |
| - | Including the commands | + | The rules will be reapplied at next change |
| - | Using instead /// | + | If in next released will be included a custom file for NFT commands |
| - | ensure consistency across restart of interfaces. | + | |