On 11/13/20 10:57 AM, Matthias Fischer wrote: > On 13.11.2020 15:23, Michael Tremer wrote: >> Hi Matthias, > Hi, > >> Sorry for my late reply. I am surprised this discussion is so quiet. > Me, too. ;-) > >>> On 9 Nov 2020, at 17:47, Matthias Fischer wrote: >>> >>> Hi, >>> >>> there have been several discussions with several solution attempts in >>> both IPFire forums (old/new), generally starting with (e.g.) "...I am >>> trying to redirect all of my DNS traffic to go thru the IPFire DNS >>> instead of directly to an outside DNS server...". >>> >>> Current discussion => >>> https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512 >>> >>> But not only in the forums - the oldest Wiki article is dated "May 22, >>> 2015". Long time, but still editing scripts manually... >>> >>> Hoping that there is a chance for a (final) integrated solution which >>> doesn't include editing code, but having a checkbox to switch this >>> functionality ON/OFF on a standardized and more secure base, I would >>> like to open a discussion on the list. >> Very good. I like a discussion. >> >>> For a start and to test how this could probably be done - and to find >>> out if I can do it - I customized '/srv/web/ipfire/cgi-bin/optionsfw.cgi'. >>> >>> Screenshots of the result can be found in the forum thread cited above: >>> => >>> https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512/91 >>> >>> But some points are IMHO still unclear and need clarification. And I >>> think I'm not the one to decide where to go... >>> >>> My thoughts until now: >>> >>> - Do we need this? >>> [Hm. ;-) As I heard, some folks do.] >> Very good question. >> >> I do not entirely understand the use-case for this. And I think nobody has shown an example at all here. >> >> So what I could come up with is this: >> >> * You have a host on your network that does not use your DNS servers. > I have. Smartphones. *sigh* > >> * You have a host on your network that does not allow you to put in custom DNS servers. > Yep. Not only one host, but some Apps on several hosts doesn't. On > smartphones. Every now and then. Again: *sigh* > >> I would simply say: Throw them away. That is not network equipment. It simply is a bug, and that should not be fixed by us. > M2C: This would be consistent, but unfortunately this is not always > possible. > >> * You might have a host or an app (YouTube is my favourite) that simply does not give a fuck about your network configuration and will try to break any filtering either by DNS or proxy just to show you advertising and to increase $BIGCORP’s revenue. >> >> I consider that malware or simply broken. > ACK, but...see above. In reality it seems to me that its not that easy. > >> Should we fix that by redirecting? I don’t think so. >> >> I would say that that checkbox that you have added should block using any other DNS server except the ones configured by the DHCP server. > ACK. That is the goal. > >> As an admin you want to know what is going wrong and not silently redirect this. >> >> If you really really want to redirect, I think the best option is to add that functionality to the firewall UI that users can create a rule that redirects this traffic. That way it is absolutely explicit and the admin hopefully knows what they are doing. >> >>> - Is the 'optionsfwcgi' the right place for this? >>> [In my opinion: yes. It was easy to add and sits beside other >>> interface "options"] >> Yes. I believe this is the right place. >> >>> - Do we really want this for all installations? >>> [For someone, who doesn't want or doesn't need it: it can be switched OFF] >> Default must be OFF. We should not tamper with people’s packets. > I see. Perhaps I wasn't clear enough: of course the default should be > switched OFF. > >> Apart from blocking packets, IPFire’s most popular feature is forwarding them. >> >>> - Is this function usable under ALL circumstances? >>> [If not: it can be switched OFF] >> No, I believe that this should be the exception and users can switch it on if they want to. > Yep. See above. > >>> - Where (E.g: firewall init script, rules.pl, wirelessctrl.c, ...) >>> should the necessary iptables rules be processed? >>> [Some ideas how this could be done, but no "breakthrough". Current >>> option-settings are processed in several scripts. Which one to use!?] >> This would probably go into /etc/init.d/firewall. > Ok. > >>> Before going on and investing more time in this (on the forum), I'd like >>> to know how the developers think about this and would like to collect >>> ideas and suggestions here. >> I hope I could answer the questions. > Yes. ;-) > >> I would like to hear more opinions. > Me, too. And feedback from testers... ;-) > > Best, > Matthias > >> Best, >> -Michael >> >>> Any hints are welcome... >>> >>> Best, >>> Matthias >>> +1 Anxiously awaiting decision / implementation. -- Who messed with my anti-paranoia shot?