From mboxrd@z Thu Jan 1 00:00:00 1970 From: Daniel =?utf-8?q?Weism=C3=BCller?= To: development@lists.ipfire.org Subject: Re: IPFire 2.27 - Core Update 160 released Date: Wed, 06 Oct 2021 13:22:32 +0000 Message-ID: <6bbe85a241ebb62fb3b5b6c332d88cdf@ipfire.org> In-Reply-To: <73940019-1604-89d3-ec18-e1a0a9041fe3@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4497568793242126473==" List-Id: --===============4497568793242126473== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable 6. Oktober 2021 14:12, "Bernhard Bitsch" schrieb: > Hello, >=20 > Am 06.10.2021 um 12:04 schrieb Daniel Weism=C3=BCller: >=20 >> Hello >> I have also had a look at this. >> There are now two Wiki pages on this topic. >> - A general one (https://wiki.ipfire.org/configuration/firewall/rules/redi= rect-services). >> - A very specific one for DNS redirect (https://wiki.ipfire.org/configurat= ion/firewall/dns). >> This is true, but the first page can't be found by a normal research in th= e wiki. >> Since core160 the general method works. This is equivalent to the method 1= described on the >> specific page. >> Following the general instructions, I have created a few firewall rules to= redirect DNS, DoT and >> NTP. >> This works very well now. >> In general, I think that general instructions are always better than speci= fic step-by-step >> instructions. >> Agreed. >> In my eyes, the described method 2, which had to be taken as a temporary s= olution, is therefore >> obsolete. In addition, pure blocking can lead to some devices no longer wo= rking. >> Having implemented the second method until now, I can see a difference. >=20 > Label 'DNAT' in the logging isn't nice. 'REDIRECT' would be more helpful. > If I define a rule for NTP, I get two log entries ( one with 'DNAT', one wi= th 'INPUTFW' ). A > similiar rule for DNS produces one log message only. > - > Bernhard I have checked my logs and cannot confirm this. 15:16:30 INPUTFW blue0 UDP 192.168.56.127 192.168.56.1 57803 53(DOMAIN) b8:85:84:a6:a0:f7 15:16:30 DNAT blue0 UDP 192.168.56.127 192.168.56.1 57803 53(DOMAIN) b8:85:84:a6:a0:f7 15:16:30 INPUTFW green0 UDP 192.168.55.30 192.168.55.1 123(NTP) 123(NTP) 00:1a:e8:ad:07:52 15:16:30 DNAT green0 UDP 192.168.55.30 192.168.55.1 123(NTP) 123(NTP) 00:1a:e8:ad:07:52 As you can see, two entries are always generated for me. - Daniel >=20 >> Do you see it the same way? >>> - >> Daniel >> 5. Oktober 2021 22:10, "Bernhard Bitsch" schrieb: >> Hi all, >>> Thanks. >>> So it was only a misunderstanding. I thought, there would be options to r= edirect DNS requests and >>> NTP requests. >>> But this 'any port solution' is much mightier. >>> I'll try to convert my actual firewall.local solution to the main stream = and report about the >>> results. >>>=20 >>> Regards, >>> Bernhard >>>=20 >>> Am 05.10.2021 um 18:28 schrieb Michael Tremer: >>=20 >> Hello, >> Simply using -j REDIRECT. >> This was always part of the firewall engine, but the UI was broken and did= not allow to create >> these rules. >> -Michael >> On 5 Oct 2021, at 14:55, Bernhard Bitsch wrote: >> Just a question. How is the activation of redirection implemented? >>=20 >> Am 05.10.2021 um 12:45 schrieb IPFire Project: >>=20 >> IPFire Logo >> there is a new post from Michael Tremer on the IPFire Blog: >> *IPFire 2.27 - Core Update 160 released* >> This is the release announcement for IPFire 2.27 - Core Update 160. >> It comes with a large number of bug fixes and package updates and >> prepare for removing Python 2 which has reached its end of life. >> Click Here To Read More >> The IPFire Project >> Don't like these emails? Unsubscribe . --===============4497568793242126473==--