Hi, I have just merged this patch into next for c129. -Michael > On 15 Feb 2019, at 16:48, Matthias Fischer wrote: > > On 15.02.2019 12:34, Michael Tremer wrote: >> On 14 Feb 2019, at 17:26, Matthias Fischer wrote: >>> >>> Hi Michael, >>> >>> On 14.02.2019 12:01, Michael Tremer wrote: >>>>>> I did *not* merge this one, yet. >>>>> No problem - I'm in touch with Erik trying to help testing TFO and DoT. >>>> Please don’t forget to share what you are doing on this list >>> >>> Of course. ;-) >>> >>> So far, I got the same results as Erik. But my test environment is not >>> as extensive as his. >>> >>> One important result for me: the iptables rules to prevent dns hijacking >>> are still working. >> >> The ones for the captive portal? Or did you have any custom rules? > > I use custom rules in 'firewall.local' > (Inspired by https://blog.ipfire.org/post/use-ipfire-to-protect-you-from-dnschanger): > > ***SNIP*** > sbin/iptables -t nat -A CUSTOMPREROUTING -i green0 -p udp --dport 53 -j DNAT --to 192.168.100.254:53 > > /sbin/iptables -t nat -A CUSTOMPREROUTING -i green0 -p tcp --dport 53 -j DNAT --to 192.168.100.254:53 > > /sbin/iptables -t nat -A CUSTOMPREROUTING -i blue0 -p udp --dport 53 -j DNAT --to 192.168.101.254:53 > > /sbin/iptables -t nat -A CUSTOMPREROUTING -i blue0 -p tcp --dport 53 -j DNAT --to 192.168.101.254:53 > ***SNAP*** > > I'm still testing testing under various conditions. > > Best, > Matthias