Allow DNS by blocking the rest outgoing connections

sorry for that question, but i seem not to get it.
I want to block all outgoing traffic and allow it manualy.

So far so good. I made rules for green clients to red network.
But the problem are the internal DOT-Servers, they can not go outside.
So i made rules for them:

from red firewall with source nat for red to the ip of the dns with the 853 tcp port (source port something like 53625)

But it has no effect, drop_output in the log to the dns servers

Any idea?
best regards

It might help if you include a screen shot of the entire firewall rule…

screen shot with Qubes OS, you are crazy :smiley:
i’ll do it tomorrow via smartphone. :slight_smile:

smartphone will work!!

outgoing traffic

Hi fstarter!

Try setting up rules without “Natting”.

brgds, Wayne

ok, i got it!
it was not NAT, but the source port. The field must be empty, than it just takes any source port.



screen shot with Qubes OS, you are crazy :smiley:

just to have it mentioned: Screenshots are possible within Qubes OS, however,
the files will be saved in dom0, and you will have to copy or move them to
the desired VM.

Please refer to the Qubes OS documentation for further information on this. :slight_smile:

Thanks, and best regards,
Peter Müller


since IPFire uses HTTPS (i. e. TCP with destination port 443) only, you could set up a
host group for all mirror servers, so you only need one firewall rule in order to permit
fetching updates.

Personally, I really like these, since they make things more straightforward. :slight_smile:

Please refer to the documentation for further information.

Thanks, and best regards,
Peter Müller

yes, that would be nice to get it just in one group, you’re right!
And yes, i forgot about the possibility of screenshot… sure, it works :slight_smile:


Might be of use to you, happy to share a text version of the group if it helps.




Might be of use to you, happy to share a text version of the group if it helps.

this would be certainly helpful.

Perhaps we should add such a list to the Wiki to make this step easier for new users
as well. On the other hand, this needs some automation, since mirror IP addresses may
change at any time…

Thanks, and best regards,
Peter Müller


Zipped text file of IPFire mirrors attached. (556 Bytes)

Happy to add to Wiki if you point me to the right page (1st timer).

Unsure how to automate as suggested but certianly happy to update from time to time as mirrors change.


1 Like

ah, very nice! thank you!
does it make sense to add just the national servers?

I tried that when creating the group but found pakfire randomly selecting a mirror so I ditched the idea of a limited mirror list and just went ahead and added them all.

ok, better idea! :slight_smile:

Here ya go! Let us know if you have questions!

Can you remember the copy and paste file i provide you in the past? :wink:

@anon33261557… I must be getting “oldtimers” because I totally forgot about your reply back in September. Had I remembered I would have pointed the good folks to that topic. Thanks for pointing that out.

Maybe I’m not the only one with “oldtimers” - I’ve noticed in the forum how some questions get asked again eventhough they have already been answered in a previous post / topic.

My New Year’s resolution… make better use of IPFire forum archives!

In the meantime, wishing you all the very best for Xmas 2020.

Had a look at that page and noticed a list of mirrors already made known here:

Not sure if there’s any benefit in adding a separate text attachment with same servers - could lead to confusion if / when mirrors servers change.