From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: IPFire 2.27 - Core Update 160 released Date: Sat, 09 Oct 2021 13:41:42 +0100 Message-ID: In-Reply-To: <73940019-1604-89d3-ec18-e1a0a9041fe3@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4371511803642476095==" List-Id: --===============4371511803642476095== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello, > On 6 Oct 2021, at 13:12, Bernhard Bitsch wrote: >=20 > Hello, >=20 > Am 06.10.2021 um 12:04 schrieb Daniel Weism=C3=BCller: >> Hello >> I have also had a look at this. >> There are now two Wiki pages on this topic. >> - A general one (https://wiki.ipfire.org/configuration/firewall/rules/redi= rect-services). >> - A very specific one for DNS redirect (https://wiki.ipfire.org/configurat= ion/firewall/dns). > This is true, but the first page can't be found by a normal research in the= wiki. >> Since core160 the general method works. This is equivalent to the method 1= described on the specific page. >> Following the general instructions, I have created a few firewall rules to= redirect DNS, DoT and NTP. >> This works very well now. >> In general, I think that general instructions are always better than speci= fic step-by-step instructions. > Agreed. >> In my eyes, the described method 2, which had to be taken as a temporary s= olution, is therefore obsolete. In addition, pure blocking can lead to some d= evices no longer working. >> =20 > Having implemented the second method until now, I can see a difference. > Label 'DNAT' in the logging isn't nice. 'REDIRECT' would be more helpful. Technically DNAT is correct. REDIRECT is just a shortcut to change the destin= ation IP address to the local machine and leave the destination port unchange= d. > If I define a rule for NTP, I get two log entries ( one with 'DNAT', one wi= th 'INPUTFW' ). A similiar rule for DNS produces one log message only. Any NAT rule with logging enabled should always produce two log entries. One = for the =E2=80=98nat=E2=80=99 table and another time when it hits the =E2=80= =99filter=E2=80=99 table. -Michael > - > Bernhard >> Do you see it the same way? >> - >> Daniel >> 5. Oktober 2021 22:10, "Bernhard Bitsch" schrieb: >>> Hi all, >>>=20 >>> Thanks. >>> So it was only a misunderstanding. I thought, there would be options to r= edirect DNS requests and >>> NTP requests. >>> But this 'any port solution' is much mightier. >>> I'll try to convert my actual firewall.local solution to the main stream = and report about the >>> results. >>>=20 >>> Regards, >>> Bernhard >>>=20 >>> Am 05.10.2021 um 18:28 schrieb Michael Tremer: >>>=20 >>>> Hello, >>>> Simply using -j REDIRECT. >>>> This was always part of the firewall engine, but the UI was broken and d= id not allow to create >>>> these rules. >>>> -Michael >>>> On 5 Oct 2021, at 14:55, Bernhard Bitsch wrote: >>>>> Just a question. How is the activation of redirection implemented? >>>>>=20 >>>>> Am 05.10.2021 um 12:45 schrieb IPFire Project: >>>>=20 >>>> IPFire Logo >>>> there is a new post from Michael Tremer on the IPFire Blog: >>>> *IPFire 2.27 - Core Update 160 released* >>>> This is the release announcement for IPFire 2.27 - Core Update 160. >>>> It comes with a large number of bug fixes and package updates and >>>> prepare for removing Python 2 which has reached its end of life. >>>> Click Here To Read More >>>> The IPFire Project >>>> Don't like these emails? Unsubscribe . --===============4371511803642476095==--