Re: IPFire 2.27 - Core Update 160 released

[Michael Tremer <michael.tremer@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 3232 bytes --]

Hello,

> On 6 Oct 2021, at 13:12, Bernhard Bitsch <bbitsch(a)ipfire.org> wrote:
> 
> Hello,
> 
> Am 06.10.2021 um 12:04 schrieb Daniel Weismüller:
>> Hello
>> I have also had a look at this.
>> There are now two Wiki pages on this topic.
>> - A general one (https://wiki.ipfire.org/configuration/firewall/rules/redirect-services).
>> - A very specific one for DNS redirect (https://wiki.ipfire.org/configuration/firewall/dns).
> This is true, but the first page can't be found by a normal research in the wiki.
>> Since core160 the general method works. This is equivalent to the method 1 described on the specific page.
>> Following the general instructions, I have created a few firewall rules to redirect DNS, DoT and NTP.
>> This works very well now.
>> In general, I think that general instructions are always better than specific step-by-step instructions.
> Agreed.
>> In my eyes, the described method 2, which had to be taken as a temporary solution, is therefore obsolete. In addition, pure blocking can lead to some devices no longer working.
>>  
> Having implemented the second method until now, I can see a difference.
> Label 'DNAT' in the logging isn't nice. 'REDIRECT' would be more helpful.

Technically DNAT is correct. REDIRECT is just a shortcut to change the destination IP address to the local machine and leave the destination port unchanged.

> If I define a rule for NTP, I get two log entries ( one with 'DNAT', one with 'INPUTFW' ). A similiar rule for DNS produces one log message only.

Any NAT rule with logging enabled should always produce two log entries. One for the ‘nat’ table and another time when it hits the ’filter’ table.

-Michael

> -
> Bernhard
>> Do you see it the same way?
>> -
>> Daniel
>> 5. Oktober 2021 22:10, "Bernhard Bitsch" <bbitsch(a)ipfire.org> schrieb:
>>> Hi all,
>>> 
>>> Thanks.
>>> So it was only a misunderstanding. I thought, there would be options to redirect DNS requests and
>>> NTP requests.
>>> But this 'any port solution' is much mightier.
>>> I'll try to convert my actual firewall.local solution to the main stream and report about the
>>> results.
>>> 
>>> Regards,
>>> Bernhard
>>> 
>>> Am 05.10.2021 um 18:28 schrieb Michael Tremer:
>>> 
>>>> Hello,
>>>> Simply using -j REDIRECT.
>>>> This was always part of the firewall engine, but the UI was broken and did not allow to create
>>>> these rules.
>>>> -Michael
>>>> On 5 Oct 2021, at 14:55, Bernhard Bitsch <bbitsch(a)ipfire.org> wrote:
>>>>> Just a question. How is the activation of redirection implemented?
>>>>> 
>>>>> Am 05.10.2021 um 12:45 schrieb IPFire Project:
>>>> 
>>>> IPFire Logo
>>>> there is a new post from Michael Tremer on the IPFire Blog:
>>>> *IPFire 2.27 - Core Update 160 released*
>>>> This is the release announcement for IPFire 2.27 - Core Update 160.
>>>> It comes with a large number of bug fixes and package updates and
>>>> prepare for removing Python 2 which has reached its end of life.
>>>> Click Here To Read More <https://blog.ipfire.org/post/ipfire-2-27-core-update-160-released>
>>>> The IPFire Project
>>>> Don't like these emails? Unsubscribe <https://people.ipfire.org/unsubscribe>.