I’d like to configure firewall to allow or reject based on domain names (FQDNs) ideally in ipsets.
My end goal is to allow the smart tv to only have access to the absolutely necessary destinations for apps like disney plus to work.
I managed to identify the domains and the related IP addresses using mitmproxy. And I configured the firewall ipset using the IP addresses. But I’d like omnia to update the ipsets because many of them use CDNs and they change the IP addresses from time to time.
I noticed that there are domain based ipsets possible within the DHCP and DNS LUCI section of omnia, but fw4 doesn’t use them. It uses the ipsets which are in the firewall section.
Am I missing something? Is it possible to use domain based ipsets with fw4 ?
are there tools to make this easy, e.g. something which would regularly resolve the domains and replace the IP addresses in the fw4 ipset?
When I get back home I will share a shell script that I use to populate ipsets.
I have it set for some IoT devices so they have access only to stuff they need to function.
Basically I use ipset in a file and cronjob every 6h and on @reboot to update IPsets and reload firewall.
But I am restricting traffic based on AS numbers and subnets. But should be fairly simple to redact that to use FQDNs and resolve that to IPs. There is some limitation in LuCi to select that ipset from file. I dont remember exactly what was it but I will remind myself when I look again into it.
So I did some more searching and found few good sources of documentation.
General nftables’ sets documentation:
And this page basically is what I wanted:
the current omnia 7.1.4 is based on openwrt 22.03 and dnsmasq-full version is 2.86.-17, meaning that dnsmasq and fw4 is not fully integrated for this. There is the the CASE #2, for older versions of dnsmasq to use dig to resolve the domains and use a script in crontab to populate the ipset.
By trying these I realized that the best way is to create the fw4 ipset in luci and configuring the timeout. The fw4 ipset in luci can only take files from /etc/luci-upload/ so I create the initial ipset there. If the fw4 ipset timeout is not configured at the time when the ipset is created it cannot be added later.
Since all of the above is possible via Luci I skipped editing /etc/hotplug.d/iface/20-firewall
I created 1 file containing the domain list. The script which resolves all of the domains and adds the IP addresses as elements to the fw4 ipset and a crontab.
the next minor version so called here be lions contains dnsmasq-full 2.90-2 and therefore should support the full integration of dnsmasq domain based ipsets to fw4.
anyone knows when this will become the stable release?
That was the thing! So I created null.ipset in that folder just to use handy WebUI to create IPSETs and then edited firewall.config using nano and pointed to the actual ipset which is created by cronjob on msata drive /srv mounted and it works. Just make sure to include firewall reload when changing ipsets content. Its a limitation of old LuCi not the programs underneat. I do not remember anything about timeouts tho. Do not recall such a thing. But now I see I have it set to 0 for some reason.
Hopefully yesterday but 2 years ago… But realistically when Turris team will remind themself there is something like their forum and huge amount of people waiting until they move their asses with the release. I am observing GitLab. And believe me they just do bullshit there instead of focusing on releasing supported version.
Like for example re-inventing the wheel and simple changes adding the greatest functionality to Reforis to “restart interface” from their own developed gui which is just a wrapper for something that was there always in LuCi. Personally for me is a waste of CPU time of a developers brain. But well…
config ipset
option timeout '0'
option loadfile '/srv/ipsets/api_github_com_ipv4'
option name 'api_github_com_ipv4'
option family 'ipv4'
list match 'dest_net'
Here is how I added IPSET part of /etc/config/firewall file
And here its used for the rule:
config rule
list proto 'tcp'
list src_ip '192.168.x.x'
option dest 'wan'
option target 'ACCEPT'
option src 'iot'
option ipset 'api_github_com_ipv4'
list src_mac '24:18:C6:xx:xx:xx'
option name 'Allow api.github.com for robot'
option dest_port '443'
option family 'ipv4'
option limit '10/second'
option device 'br-lan.1111'
option direction 'in'