From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: Forcing all DNS traffic from the LAN to the firewall Date: Sun, 15 Nov 2020 14:50:09 +0000 Message-ID: In-Reply-To: <0bf6771a-5d03-762a-9244-1567dd500754@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1535674926386702223==" List-Id: --===============1535674926386702223== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi, > On 15 Nov 2020, at 13:36, Matthias Fischer = wrote: >=20 > Hi, >=20 > On 13.11.2020 17:57, Matthias Fischer wrote: >> On 13.11.2020 15:23, Michael Tremer wrote: >=20 > [Slightly shortened, kept the relevant parts] >=20 >>> ...=20 >>=20 >>>> - Where (E.g: firewall init script, rules.pl, wirelessctrl.c, ...) >>>> should the necessary iptables rules be processed? >>>> [Some ideas how this could be done, but no "breakthrough". Current >>>> option-settings are processed in several scripts. Which one to use!?] >>>=20 >>> This would probably go into /etc/init.d/firewall. >=20 > Sorry, but *which* line? I'm really not sure. I suppose somewhere after > line 179f which read: > ... > iptables -t nat -N CUSTOMPREROUTING > iptables -t nat -A PREROUTING -j CUSTOMPREROUTING > ... >=20 > I don't want to mess things up - especially in *this* script! > We need an "if"-query to check for ON/OFF there, ok. > But the more often I read this script the less sure I am where this code > can be inserted best. Where? Hints? If we do not go with the generic redirection option, I would suggest to put t= his before the CAPTIVE_PORTAL chain and create another chain with the redirec= tion rules. > Besides, deactivating these rules would need a complete reboot!? Or do I > overlook something? Yes, this would be true. We could otherwise create a extra script that is only executed when this is e= nabled like we do with the captive portal. > Because if this should be the case then on the firewall options page the > entries that require a restart should be *marked* to make things easier > and more clearly. Otherwise you switch ON <-> OFF or vice versa without > *really* realising that your changes "need a reboot". The notice "Some > options need a reboot to take effect" is not sufficiently meaningful. > "Some options..."!? Which? Yes, I find this quite annoying=E2=80=A6 Maybe we should in general move these things to not require a reboot? I believe reloading the whole firewall is something we can support right now. -Michael > Best, > Matthias --===============1535674926386702223==--