From: Matthias Fischer <matthias.fischer@ipfire.org>
To: development@lists.ipfire.org
Subject: Forcing all DNS traffic from the LAN to the firewall
Date: Mon, 09 Nov 2020 18:47:26 +0100 [thread overview]
Message-ID: <893404c4-16eb-2055-5702-7a3b44377443@ipfire.org> (raw)
[-- Attachment #1: Type: text/plain, Size: 2140 bytes --]
Hi,
there have been several discussions with several solution attempts in
both IPFire forums (old/new), generally starting with (e.g.) "...I am
trying to redirect all of my DNS traffic to go thru the IPFire DNS
instead of directly to an outside DNS server...".
Current discussion =>
https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512
But not only in the forums - the oldest Wiki article is dated "May 22,
2015". Long time, but still editing scripts manually...
Hoping that there is a chance for a (final) integrated solution which
doesn't include editing code, but having a checkbox to switch this
functionality ON/OFF on a standardized and more secure base, I would
like to open a discussion on the list.
For a start and to test how this could probably be done - and to find
out if I can do it - I customized '/srv/web/ipfire/cgi-bin/optionsfw.cgi'.
Screenshots of the result can be found in the forum thread cited above:
=>
https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512/91
But some points are IMHO still unclear and need clarification. And I
think I'm not the one to decide where to go...
My thoughts until now:
- Do we need this?
[Hm. ;-) As I heard, some folks do.]
- Is the 'optionsfwcgi' the right place for this?
[In my opinion: yes. It was easy to add and sits beside other
interface "options"]
- Do we really want this for all installations?
[For someone, who doesn't want or doesn't need it: it can be switched OFF]
- Is this function usable under ALL circumstances?
[If not: it can be switched OFF]
- Where (E.g: firewall init script, rules.pl, wirelessctrl.c, ...)
should the necessary iptables rules be processed?
[Some ideas how this could be done, but no "breakthrough". Current
option-settings are processed in several scripts. Which one to use!?]
Before going on and investing more time in this (on the forum), I'd like
to know how the developers think about this and would like to collect
ideas and suggestions here.
Any hints are welcome...
Best,
Matthias
next reply other threads:[~2020-11-09 17:47 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-09 17:47 Matthias Fischer [this message]
2020-11-10 13:07 ` Tapani Tarvainen
2020-11-13 14:24 ` Michael Tremer
2020-11-13 14:35 ` Tapani Tarvainen
2020-11-11 15:02 ` Rainer Kemme
2020-11-13 14:23 ` Michael Tremer
2020-11-13 14:55 ` Tapani Tarvainen
2020-11-15 13:16 ` Matthias Fischer
2020-11-15 14:45 ` Michael Tremer
2020-11-15 15:33 ` Tapani Tarvainen
2020-11-16 10:32 ` Michael Tremer
2020-11-15 14:40 ` Michael Tremer
2020-11-13 16:57 ` Matthias Fischer
2020-11-13 17:08 ` Paul Simmons
2020-11-15 13:36 ` Matthias Fischer
2020-11-15 14:50 ` Michael Tremer
2020-11-15 15:44 ` Tapani Tarvainen
2020-11-16 10:34 ` Michael Tremer
2020-11-23 9:08 ` Matthias Fischer
2020-12-25 16:57 ` Matthias Fischer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=893404c4-16eb-2055-5702-7a3b44377443@ipfire.org \
--to=matthias.fischer@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox