What source to allow traffic from IPFire itself only?

dnl · 2 March 2025 05:06

Hello,

What Source should I use in a Firewall rule which would only allow outbound internet traffic from IPFire itself?

I’d like to ensure all my internal devices use IPFire for DNS.
So I’ve tried adding rules to block:

UDP/53, TCP/53 and TCP/853
TCP/443 and UDP/443 to known public DNS servers

…however I can’t seem to find the right logic to allow only IPFire itself to keep making DNS queries.

If I allow “Interface RED” then I actually permit all DNS from internal devices in the process.

Thank you!

dnl · 2 March 2025 05:08

Looks like “Interface RED” is correct and my testing was mistaken.

Sorry!

PS: It would give me confidence if someone could please confirm this anyway!

tphz · 2 March 2025 08:41

Have you read the following documentation page?

Regards

dnl · 30 March 2025 05:02

Thanks, but that’s only helpful if you are using IPFIre as your DNS server. I’m not.

bbitsch · 30 March 2025 18:59

Why do you not use IPFire as DNS server?

dnl · 1 April 2025 09:23

Hello,
dnsmasq on IPFire is great, but I have been using a local DNS caching server. It allows me to run a DNS ad and tracker blocker as well as allowing fine-grained control over which devices can resolve which categories (and custom block rules). I find this very helpful in combination with firewall rules in IPFire.

For example I can use a wide-ranging ad block rule but have an allow list for specific URLs on my media streaming device (an Apple TV) as those URLs appear to be required for specific streaming services.

Further along this tangent, it would be nice if IPFire could allow the option of applying rules for DNS names as many commercial Firewalls do. I recognise it would be only as secure as your downstream DNS source, but with DoT and (limited adoption of) DNSSEC hopefully it wouldn’t add much risk.

bbitsch · 1 April 2025 12:06

The name resolver ( DNS server) in IPFire is unbound!
If you use block and allow lists for name resolution with your local ‘DNS caching server’ ( what program? ), this can be done with Unbound also ( using RPZ lists ).

The solution with IPFire as DNS server is more straight-forward, IMO. The target for name resolution is mainly the ‘internet’ ( the device which provides access to it = IPFire ). A config with a separate DNS server in the local network may be more errorprone.