I have been using IPFire at home for a few years – using IPS, GeoIP Block, and the timfprogs /
ipfblocklist. However, I have never tried to actually (knowingly) create firewall rules.
Today I tried following the Wiki instructions for Force clients to use IPFire’s DNS proxy.
It seems that whenever I add any of the rules for either of the two options mentioned, I get the red bar at the bottom saying Policy: Blocked. I suspect I have some configuration setting screwing things up but as I surf through the Wiki, Community, and old forum, this all makes my simple caveman brain hurt. Anyone venture to guess where I may have gone wrong? It is probably blatantly obvious but I admit to being a slow-witted mere user.
Note!
Only option 2. Block all DNS traffic except through IPFire’s DNS proxy (below) works. This is because the target for redirected DNS requests is not the firewall itself and an “any” rule is currently not accepted for DNAT rules in the IPFire WUI. Hopefully this will be possible in future.
You have to use method 2. Policy blocked is the default, you have to open the access to DNS.
That red commenting I think I think is the policy that is applied by default, denying all incoming requests. If you ever want to allow, the corresponding allowed rule has to be created.
The one you have created is automatically blocked, but for the rest, the default policy will be applied, which is to block.
I think the definition of these default policies are found in the Firewall options.
Thanks for your reply. I have also tried Option 2 and I still get the same Policy: Blocked indication.
Am I not entering the rule as shown in the Wiki?
Note: this first rule is from step: 2. Create “permit” incoming firewall rules for IPFire’s DNS server of the option: 2. Block all DNS traffic except through IPFire’s DNS proxy.
So are you saying that I should not be concerned about the red Policy: Blocked indication? I thought that was telling me that I had something configured incorrectly?
Doing some web surfing, I came upon this technique for redirecting DNS traffic. Is this an okay thing to do? Are there problems with doing this on my IPFire box? If it is okay, then where should I put these commands so that they get persisted?
# Redirect Google DNS traffic from Green Network to IPFire’s DNS proxy
iptables -t nat -A PREROUTING -s 192.168.2.0/24 -d 8.8.0.0/16 -p udp -m udp --dport 53 -j DNAT --to-destination 192.168.2.1
iptables -t nat -A PREROUTING -s 192.168.2.0/24 -d 8.8.0.0/16 -p tcp -m tcp --dport 53 -j DNAT --to-destination 192.168.2.1
# Redirect Google DNS traffic from Blue Network to IPFire’s DNS proxy
iptables -t nat -A PREROUTING -s 192.168.3.0/24 -d 8.8.0.0/16 -p udp -m udp --dport 53 -j DNAT --to-destination 192.168.3.1
iptables -t nat -A PREROUTING -s 192.168.3.0/24 -d 8.8.0.0/16 -p tcp -m tcp --dport 53 -j DNAT --to-destination 192.168.3.1
