This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision | Next revisionBoth sides next revision |
| docs:guide-user:firewall:filtering_traffic_at_ip_addresses_by_dns [2023/11/18 07:28] – Corrected dnsmasq-full install procedure. rexbinary | docs:guide-user:firewall:filtering_traffic_at_ip_addresses_by_dns [2024/01/13 12:53] – [Improvements] plinioseniore |
|---|
| In //CASE 2// the script will periodically query the DNS with all domains included in ///etc/sets-ipdns/wildlan-urls.list// so that list should be reasonably small. | In //CASE 2// the script will periodically query the DNS with all domains included in ///etc/sets-ipdns/wildlan-urls.list// so that list should be reasonably small. |
| |
| ===== Improvements ===== | ===== Next Improvements ===== |
| |
| Previous version of this wiki page use //etc/rc.local// instead of ///etc/hotplug.d/iface/20-firewall//. This has been proven to be an improvement as the commands included in //etc/rc.local// runs at end of boot but any change in the state of the interfaces will retrigger a rebuild of //fw4//. | The command line instructions are included in ///etc/hotplug.d/iface/20-firewall// that trigger a rebuild of the firewall configuration at each change of any interface. Anyhow this is not trigged when a UCI/LUCI firewall change is applied. So at any change in the firewall configuration the rebuild will not involve the custom rules included in ///etc/hotplug.d/iface/20-firewall//, as result connectivity of devices that rely on this will be lost. |
| |
| Including the commands in //etc/rc.local// needs a //sleep// to ensure that all interfaces are up, even if any late restart of any interface erase the commands included in //etc/rc.local//. | The rules will be reapplied at next change in status of any interface, that could also be trigged on purpose to rebuild the rules. |
| |
| Using instead ///etc/hotplug.d/iface/20-firewall// and including the nft commands just after ////fw4 -q reload | If in next released will be included a custom file for NFT commands that is trigged at any firewall rebuild, this problem will be solved. |
| ensure consistency across restart of interfaces. | |