The DNS Firewall feature affects all users, but how can we exclude certain users from DNS Firewall blocks?
@furkanarik061 , welcome to the community.
What do you mean by âuserâ? A physical person or a specific device?
For example, when a DNS firewall blocks the xxx.com domain, this applies to all users, but some computers need to be able to bypass the block.
I donât think thereâs such an option; itâs enabled globally for IPFire. To make it work granularly, a good place would be to define it in the security rules as another condition.
Yes, this should be possible. You will need to press edit on the list you want to adjust using the pencil icon and work out the CIDR difference and enter it into âcustom sourceâ.
For example, if you want to block everything on the 192.168.0.0/24 range other than 192.168.0.55 you will need to enter in the custom source field:
192.168.0.0/27 192.168.0.128/25 192.168.0.32/28 192.168.0.48/30 192.168.0.52/31 192.168.0.54/32 192.168.0.56/29 192.168.0.64/26
You can use a calculator like www.ip.network/tools/cidr-diff to work out the difference.
Hope this helps.
Thanks,
A G
You have selected the GREEN, BLUE and ORANGE Zones. This means that any blocking will only cover those parts of the network and will not cover the IPFire system itself as it is not part of any of those zones but the interface between them.
That would mean that if your clients are using the IPFire web proxy via their browsers, automatic or manual setup, then that traffic will not get blocked as the traffic would be going to the DNS from the web proxy which is inside IPFire itself and not in any of the three Zones.
Is it then possible to unselect a specific zone(s) eg if I only wanted to do DNS filtering on BLUE?
Hi all,
Same questions here.
Sorry for my english language.
I use Adguard on my Lan, i would using DNS Firewall with IPFire and remove Addguard in the future.,
In AddGuard, i have custom allow lists but not for all the computer on my lan, only for some computer (i use fixed IP address).
That seem like that ::
v20.events.data.microsoft.com^$client=192.168.2.5|192.168.4.2|192.168.2.9
shopping.rakuten.com^$client=â192.168.2.5â
I understand, that is not possible yo do that with the custom allow lists in DNS Firewall ?
Do you thing that will be possible in the futur ?
Thx
Hi
This is possible if you use a URL filter, but it seems that DNS Firewall can only distinguish them by zone.
Yes, you can absolutely do this. Enable the category and then click on the little pencil to edit the ACL. You can select an entire zone only or even define single IP addresses or subnets where that category will only apply.
So you can have different policies in your guest network, keep your children off the piracy websites, and what not.
Thanks @ms !
Dear Michael
Donât you think typing IP addresses one by one would be difficult in environments with many users?
For example, why does a host group get blocked by DNS Firewall when itâs supposed to bypass the firewallâs rejection path? Normally, when this rule is running, it doesnât get blocked by URL filters.
Yes but it is globally by category.
Sometimes i want juste authorise only one or two domains only (microsoft rewards, shop, socialâŠetc) for only one or two ip on green or blue and not for all the ip off this zones.
You are right. The WUI allows only IPs or subnets for blocking.
Allowing special IPs from zone means blocking all other IPs of the zone.
This is best done in a logical separation of your zone. An address pool for allowed devices and another for the rest. The IP sets which DHCP generates ( dynamic, fixed, static ) may help.
Dynamic IPs with low values, fixed IPs used the upper part of the network. If allowed IPs are all above a certain value, you can block the lower part.