Knowledge Base (Posts about firewall)

Blocking outbound dns

bgstack15 — Sat, 25 Feb 2023 14:26:06 GMT

The overall goal is to have all dns requests possible go to my recursive servers.

List of my dns servers

$ dig -t NS ipa.internal.com
;; ANSWER SECTION:
ipa.internal.com.   604800  IN  NS  dns2.ipa.internal.com.
ipa.internal.com.   604800  IN  NS  dns1.ipa.internal.com.
;; ADDITIONAL SECTION:
dns1.ipa.internal.com.  604800  IN  A   192.168.1.50
dns2.ipa.internal.com.  604800  IN  A   192.168.1.51

Dns3 host is a freeipa domain replica but does not have dns+dhcp on it as of 2023-02.

Experiment 1

Just redirect all outbound dns requests to my dns servers. This is done by setting a command on router1.

DNS="192.168.1.50"
iptables -t nat -I PREROUTING -i br0 -p udp --dport 53 -j DNAT --to "${DNS}:53"
iptables -t nat -I PREROUTING -i br0 -p udp -s "${DNS}" --dport 53 -j ACCEPT
test -f /jffs/doh-ipv4 && sh /jffs/doh-ipv4
test -f /jffs/doh-ipv6 && sh /jffs/doh-ipv6

Added this to the "firewall command" of the router, web ui -> tab Administration -> tab Commands.

I modified dns1 named.conf to include some logging of queries:

channel queries_log {
  file "/var/named/queries" versions 600 size 20m;
  print-time yes;
  print-category yes;
  print-severity yes;
  severity info;
};
category queries { queries_log; };

Inside the logging{} section. Reference 6

This experiment was successful. On dns1, /var/named/queries shows the queries being submitted.

Experiment 2: see if I can get extra, permanent storage with usb drive

I grabbed a 128MB USB flash drive (yes, MB). I enabled usb support in the web ui: tab Services -> tab USB -> core USB Support is enabled, mount this partition to /jffs: 581af4db-8dfc-41af-9e8b-f612bd32508c

I also enabled jffs2 stuff in web ui: tab Administration -> tab Management -> section JFFS2 Support -> Intenal flash storage enabled

Some commands I ran on router1:

fdisk -l
# i already had a partition on msdos label, but it was not formatted yet
mkfs.ext4 /dev/sda1
modprobe ext4
mount /dev/sda1 /jffs

This appears to work persistently after reboots.

Experiment 3: manual DoH block functionality

I set up the blocking script and run it on the dd-wrt router. goal: manually copy up the IPv4 (and IPv6?) servers to be blocked, add routing rules to disallow connections to those

echo '#!/bin/sh' > ~/doh-ipv4
for ip in $( <doh-ipv4.txt awk '{print $1}' ) ; do echo "iptables -I FORWARD -p tcp -d ${ip} --dport 443 -j REJECT --reject-with tcp-reset" ; done >> ~/doh-ipv4
# copy it to router1
<~/doh-ipv4 ssh root@router1 'cat > /jffs/doh-ipv4'
ssh root@router1 chmod +x /jffs/doh-ipv4

Experiment 4: ipv6 doh blocking

echo '#!/bin/sh' > ~/doh-ipv6
for ip in $( <doh-ipv6.txt awk '{print $1}' ) ; do echo "ip6tables -I FORWARD -p tcp -d ${ip} --dport 443 -j REJECT --reject-with tcp-reset" ; done >> ~/doh-ipv6
# copy it to router1; scp was acting weird so use a stream
<~/doh-ipv6 ssh root@router1 'cat > /jffs/doh-ipv6'
ssh root@router1 chmod +x /jffs/doh-ipv6

Improve

I still need to set up a cron job script for doing all this automatically. For now, I have to run these steps manually. I suppose the script would pull the latest contents from the doh list git repo, generate the script, upload it, and optionally run it. I have not pondered how to prevent duplicate entries yet.

Dependencies

Upstream doh list at reference 2

Alternatives

Just allow all dns traffic to outside, which loses control of my network.

References

Weblinks

Internal files

firewalld service file for dhcpd-failover

bgstack15 — Thu, 27 Apr 2017 13:09:58 GMT

The problem

I have been practicing with ISC dhcp in preparation for overhauling my network. While working with dhcp failover peers, I have run into a problem. My peers couldn't talk to each other. I eventually figured out it was the firewall. Some of the errors I got included:

Apr 05 17:56:55 centos7-01a.vm.example.com dhcpd[956]: failover peer allvm: I move from recover to startup
Apr 05 17:56:55 centos7-01a.vm.example.com systemd[1]: Started DHCPv4 Server Daemon.
Apr 05 17:57:10 centos7-01a.vm.example.com dhcpd[956]: failover peer allvm: I move from startup to recover

The solution

With the help of a post on the World Wide Web, I have shamelessly ripped off a firewalld service file. Loading this file into the firewall daemon solved my dhcp failover peer communication problem. Do this on both servers.

tf=/usr/lib/firewalld/services/dhcpd-failover.xml
touch "${tf}"; chmod 0644 "${tf}"
cat <<EOF >"${tf}"
<?xml version="1.0" encoding="utf-8"?>
<!-- Reference: https://www.centos.org/forums/viewtopic.php?t=54348 -->
<service version="1.0">
  <short>DHCPD Failover</short>
  <description>This allows a DHCP server to communicate with a failover peer.</description>
  <port protocol="tcp" port="647" />
</service>
EOF
systemctl reload firewalld.service
firewall-cmd --permanent --add-service=dhcpd-failover
firewall-cmd --reload

References

Weblinks

https://www.centos.org/forums/viewtopic.php?t=54348
DHCP failover guide http://geekyadmins.com/dhcp-server-setup-with-failover-in-centos-7/

firewalld open nfs

bgstack15 — Wed, 14 Dec 2016 15:12:46 GMT

Overview

Joining the many other www pages about opening up your host firewall to allow nfs is this one! On CentOS 7, which went systemd for better or for worse, firewalld is the default firewall solution. I like how everything is a file, so you can just use xml to make things extensible. firewall-cmd --permanent --add-service=nfs --add-service=rpc-bind --add-service=mountd firewall-cmd --reload That's it! You just need to open up the predefined services nfs, rpc-bind, and mountd. Thanks to all the countless posts out there that helped me research this. I didn't save any of the links, because this time I'm assuming it's such general knowledge it doesn't need special credits. Bonus: if you want to read the definitions of the predefined services and other elements for firewalld, check out directory /usr/lib/firewalld/. I know I've written my own service definitions (for Plex Media Server) in the past.