Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:firewall:filtering_traffic_at_ip_addresses_by_dns [2023/08/26 12:55] pliniosenioredocs:guide-user:firewall:filtering_traffic_at_ip_addresses_by_dns [2024/01/13 12:53] – [Improvements] plinioseniore
Line 19: Line 19:
 ===== [CASE 1] Command-line instructions =====  ===== [CASE 1] Command-line instructions ===== 
  
-Install //dnsmasq-full// as follow+Install //dnsmasq-full// as follows
  
 <code bash> <code bash>
-opkg update +opkg updatecd /tmp/ && opkg download dnsmasq-full; opkg install ipset libnettle8 libnetfilter-conntrack3; 
-cd /tmp/ && opkg download dnsmasq-full +opkg remove dnsmasqopkg install dnsmasq-full --cache /tmp/rm -f /tmp/dnsmasq-full*.ipk;
-opkg remove dnsmasq +
-opkg install dnsmasq-full --cache /tmp/ +
-rm -f /tmp/dnsmasq-full*.ipk+
 </code> </code>
  
Line 137: Line 134:
 In //CASE 2// the script will periodically query the DNS with all domains included in ///etc/sets-ipdns/wildlan-urls.list// so that list should be reasonably small. In //CASE 2// the script will periodically query the DNS with all domains included in ///etc/sets-ipdns/wildlan-urls.list// so that list should be reasonably small.
  
-===== Improvements =====+===== Next Improvements =====
  
-Previous version of this wiki page use //etc/rc.local// instead of ///etc/hotplug.d/iface/20-firewall//. This has been proven to be an improvement as the commands included in //etc/rc.local// runs at end of boot but any change in the state of the interfaces will retrigger a rebuild of //fw4//.+The command line instructions are included in ///etc/hotplug.d/iface/20-firewall// that trigger a rebuild of the firewall configuration at each change of any interfaceAnyhow this is not trigged when a UCI/LUCI firewall change is applied. So at any change in the firewall configuration the rebuild will not involve the custom rules included in ///etc/hotplug.d/iface/20-firewall//, as result connectivity of devices that rely on this will be lost.
  
-Including the commands in //etc/rc.local// needs a //sleep// to ensure that all interfaces are up, even if any late restart of any interface erase the commands included in //etc/rc.local//.+The rules will be reapplied at next change in status of any interface, that could also be trigged on purpose to rebuild the rules.
  
-Using instead ///etc/hotplug.d/iface/20-firewall// and including the nft commands just after ////fw4 -q reload +If in next released will be included a custom file for NFT commands that is trigged at any firewall rebuild, this problem will be solved.
-ensure consistency across restart of interfaces.+
  • Last modified: 2024/05/27 21:51
  • by systemcrash