On 11/13/20 10:57 AM, Matthias Fischer wrote:
On 13.11.2020 15:23, Michael Tremer wrote:
Hi Matthias,
Hi,
Sorry for my late reply. I am surprised this discussion is so quiet.
Me, too. ;-)
On 9 Nov 2020, at 17:47, Matthias Fischer matthias.fischer@ipfire.org wrote:
Hi,
there have been several discussions with several solution attempts in both IPFire forums (old/new), generally starting with (e.g.) "...I am trying to redirect all of my DNS traffic to go thru the IPFire DNS instead of directly to an outside DNS server...".
Current discussion => https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-f...
But not only in the forums - the oldest Wiki article is dated "May 22, 2015". Long time, but still editing scripts manually...
Hoping that there is a chance for a (final) integrated solution which doesn't include editing code, but having a checkbox to switch this functionality ON/OFF on a standardized and more secure base, I would like to open a discussion on the list.
Very good. I like a discussion.
For a start and to test how this could probably be done - and to find out if I can do it - I customized '/srv/web/ipfire/cgi-bin/optionsfw.cgi'.
Screenshots of the result can be found in the forum thread cited above: => https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-f...
But some points are IMHO still unclear and need clarification. And I think I'm not the one to decide where to go...
My thoughts until now:
- Do we need this? [Hm. ;-) As I heard, some folks do.]
Very good question.
I do not entirely understand the use-case for this. And I think nobody has shown an example at all here.
So what I could come up with is this:
- You have a host on your network that does not use your DNS servers.
I have. Smartphones. *sigh*
- You have a host on your network that does not allow you to put in custom DNS servers.
Yep. Not only one host, but some Apps on several hosts doesn't. On smartphones. Every now and then. Again: *sigh*
I would simply say: Throw them away. That is not network equipment. It simply is a bug, and that should not be fixed by us.
M2C: This would be consistent, but unfortunately this is not always possible.
- You might have a host or an app (YouTube is my favourite) that simply does not give a fuck about your network configuration and will try to break any filtering either by DNS or proxy just to show you advertising and to increase $BIGCORP’s revenue.
I consider that malware or simply broken.
ACK, but...see above. In reality it seems to me that its not that easy.
Should we fix that by redirecting? I don’t think so.
I would say that that checkbox that you have added should block using any other DNS server except the ones configured by the DHCP server.
ACK. That is the goal.
As an admin you want to know what is going wrong and not silently redirect this.
If you really really want to redirect, I think the best option is to add that functionality to the firewall UI that users can create a rule that redirects this traffic. That way it is absolutely explicit and the admin hopefully knows what they are doing.
- Is the 'optionsfwcgi' the right place for this? [In my opinion: yes. It was easy to add and sits beside other
interface "options"]
Yes. I believe this is the right place.
- Do we really want this for all installations? [For someone, who doesn't want or doesn't need it: it can be switched OFF]
Default must be OFF. We should not tamper with people’s packets.
I see. Perhaps I wasn't clear enough: of course the default should be switched OFF.
Apart from blocking packets, IPFire’s most popular feature is forwarding them.
- Is this function usable under ALL circumstances? [If not: it can be switched OFF]
No, I believe that this should be the exception and users can switch it on if they want to.
Yep. See above.
- Where (E.g: firewall init script, rules.pl, wirelessctrl.c, ...)
should the necessary iptables rules be processed? [Some ideas how this could be done, but no "breakthrough". Current option-settings are processed in several scripts. Which one to use!?]
This would probably go into /etc/init.d/firewall.
Ok.
Before going on and investing more time in this (on the forum), I'd like to know how the developers think about this and would like to collect ideas and suggestions here.
I hope I could answer the questions.
Yes. ;-)
I would like to hear more opinions.
Me, too. And feedback from testers... ;-)
Best, Matthias
Best, -Michael
Any hints are welcome...
Best, Matthias
+1
Anxiously awaiting decision / implementation.