Block all except DNS traffic

Hi all,

I try to configure a really basic configuration. This is the goal:

Block all traffic from green to red except DNS messages.

This is what I did:
In firewall rules I configured a line as follows:
from all network to red network drop all protocols.
Above this rule I allowed all traffic from all networks to red for port 53 (UDP and TCP).

When I check the DNS servers from ISP they provide an error indicating that they could not be reached. Only if I disable the block rule the DNS servers are again reachable.

I understood that the rule the highest in the list will be hit first. Why is the DNS traffic not going trough?

Thanks a lot

Welcome

So.
Firewall rule to allow to WUI
Firewall rule to allow DNS service
Setup as a service group.
Change default firewall behavior to block forward traffic.

Hope that helps.

You could use ipfire DNS.Domain Name System.
And redirect all DNS to the firewall.
And

1 Like

Thanks a lot for the quick reply.

I created a service group named DNS and added DNS(TCP) and DNS(UDP) as service.
I blocked the forward trafic in the default behavoir.
In the firewall rules i added a rule from any to red and configured the protocol preset and added the configured service group.
I made sure that this allow rule is higher then the block all.
I applied the changes.
I checked under network/domain name system and pressed check dns servers. No luck.
Error message can’t send query to ip@(UDP).

Do I do something wrong?

Does ipfire have a firewall rule for it to get DNS?
Perhaps add rule
Ipfire firewall to DNS in red zone or any

1 Like

I don’t know why you want to block everything except DNS but here is a solution To meet your need

Ipfire uses DNSSEC

  • Network → Domain name system
    Configure your DNS servers as described here
  • Firewall
    Create the rules and configuration described here

Then

  • Firewall → Options
    Default firewall behaviour
    Choose FORWARD : Blocked

Thats all !

2 Likes

The traffic that you want to allow has not “red” as target. Use “all” instead. (in firewall rules “red” is only the IP of the firewall itself)

4 Likes

All,

Thanks a lot for your suggestions. I did some testing. I will provide you the summary of the steps done:

@arne_f I changed the destination from RED to any. In attach you can find the screenshot in file regel.png. The configuration was:
Source any, destination any and port allowed 53. When I checked the DNS servers they were still not reachable.

@pscar13
I configured DNSSEC based on the information you provided. You can find the screenshots in attach. These were the steps executed:

  • Configured flokinet with TLS and deactivate ISP.
  • Configured the service group DNS and added this in the rule.
  • Configured DHCP primary DNS to the ip of the firewall
  • Blocked forward traffic in options.

Then I checked the DNS and still no succes.

Remove these Firewall rules
Capture d’écran 2022-11-03 183704

Add TCP 853 to DNS group for use TLS

2 Likes

@pscar13 Thanks a lot for your assistance. I performed the configuration as you explained. See the results below:

Conclusion: after this configuration I could reach the DNS servers (DNS and DNSSEC). Good news!

Do I understand correct that:

The DNS request is send to de firewall’s IP adres (because of primary DNS in the DHCP configuration). Because of the rule the traffic is allowed to go to the internet. In order to allow the DNSSEC communication it is important that also port 853 is opened next to port 53 (for normal DNS).

What is the goal of blocking the forward traffic in the firewall options?

If I want to trace the traffic to see if the rule is working, can I use tcpdump? Which command is the best to do so?
tcpdump -i red0 port 53
Or is it better to trace on green0?

1 Like

Good News !

I am not an Ipfire expert but only a user like you.

FORWARD firewall option is the default iptable rule.

tcpdump -i red0 port 53 or 853
or
tcpdump -i ppp0 port 53 or 853
if you use ppp internet connection

best regards

1 Like