I try to configure a really basic configuration. This is the goal:
Block all traffic from green to red except DNS messages.
This is what I did:
In firewall rules I configured a line as follows:
from all network to red network drop all protocols.
Above this rule I allowed all traffic from all networks to red for port 53 (UDP and TCP).
When I check the DNS servers from ISP they provide an error indicating that they could not be reached. Only if I disable the block rule the DNS servers are again reachable.
I understood that the rule the highest in the list will be hit first. Why is the DNS traffic not going trough?
So.
Firewall rule to allow to WUI
Firewall rule to allow DNS service
Setup as a service group.
Change default firewall behavior to block forward traffic.
Hope that helps.
You could use ipfire DNS.Domain Name System.
And redirect all DNS to the firewall.
And
I created a service group named DNS and added DNS(TCP) and DNS(UDP) as service.
I blocked the forward trafic in the default behavoir.
In the firewall rules i added a rule from any to red and configured the protocol preset and added the configured service group.
I made sure that this allow rule is higher then the block all.
I applied the changes.
I checked under network/domain name system and pressed check dns servers. No luck.
Error message can’t send query to ip@(UDP).
The traffic that you want to allow has not “red” as target. Use “all” instead. (in firewall rules “red” is only the IP of the firewall itself)
Thanks a lot for your suggestions. I did some testing. I will provide you the summary of the steps done:
@arne_f I changed the destination from RED to any. In attach you can find the screenshot in file regel.png. The configuration was:
Source any, destination any and port allowed 53. When I checked the DNS servers they were still not reachable.
@pscar13
I configured DNSSEC based on the information you provided. You can find the screenshots in attach. These were the steps executed:
Configured flokinet with TLS and deactivate ISP.
Configured the service group DNS and added this in the rule.
Configured DHCP primary DNS to the ip of the firewall
Conclusion: after this configuration I could reach the DNS servers (DNS and DNSSEC). Good news!
Do I understand correct that:
The DNS request is send to de firewall’s IP adres (because of primary DNS in the DHCP configuration). Because of the rule the traffic is allowed to go to the internet. In order to allow the DNSSEC communication it is important that also port 853 is opened next to port 53 (for normal DNS).
What is the goal of blocking the forward traffic in the firewall options?
If I want to trace the traffic to see if the rule is working, can I use tcpdump? Which command is the best to do so? tcpdump -i red0 port 53
Or is it better to trace on green0?