Thanks. Just what I needed.
On Sun, Jul 15, 2012 at 7:39 PM, Lonnie Abelbeck
<[email protected]>wrote:
> David,
>
> With the general DNS block in place...
>
> LAN_INET_HOST_OPEN_UDP="192.168.1.99>0/0~53"
>
> will allow the internal 192.168.1.99 device to access any external DNS
> server.
>
> Lonnie
>
> PS: In the web interface we don't support "Pass LAN->EXT" rules, since
> that is the default policy and would seem confusing, but coupled with
> "Deny LAN->EXT" it can be useful it seems.
>
>
>
> On Jul 15, 2012, at 6:12 PM, David Kerr wrote:
>
> > Yes I agree. Of course since turning on blocking I find that I have a
> VoIP adapter that is remotely administered by "someone else" and it is
> pointing to a external DNS server. Fortunately the logs identified this.
> So I need to explicitly allow one internal IP to access an external DNS.
> >
> > David
> >
> > On Sun, Jul 15, 2012 at 6:57 PM, Lonnie Abelbeck <
> [email protected]> wrote:
> > David,
> >
> > Yes, blocking is best, the "iptables -t nat -A PREROUTING" technique
> described only works with IPv4, plus those rules would get a *lot* of
> matches.
> >
> > Lonnie
> >
> >
> > On Jul 15, 2012, at 5:11 PM, David Kerr wrote:
> >
> > > Thanks lonnie. Blocking port 53 is the simplest way to go I think.
> Googling also turns up...
> > > http://www.dd-wrt.com/wiki/index.php/OpenDNS
> > > Scroll down that page and you find a way to intercept all port 53
> requests and send them somewhere else silently... so DNS requests
> satisfied, just not by the server the user expected.
> > >
> > > David
> > >
> > >
> > > On Sun, Jul 15, 2012 at 6:00 PM, Lonnie Abelbeck <
> [email protected]> wrote:
> > > Hi David,
> > >
> > > >From the Network -> Firewall tab
> > >
> > > Deny LAN->EXT TCP/UDP 0/0 0/0 53
> > >
> > >
> > >
> > >
> > > This applies for both IPv4 and IPv6 if enabled. TCP is seldom used,
> but best to also block it.
> > >
> > >
> > > Now for the extra credit, :-), this can't be done via the Firewall
> tab, but if you also add the AIF variable to your user.conf:
> > >
> > > LAN_INET_HOST_OPEN_UDP="0/0>208.67.222.222~53 0/0>208.67.220.220~53"
> > >
> > > That will allow the LAN to directly access the OpenDNS IPv4 servers
> with the Firewall tab rule applied, (also define LAN_INET_HOST_OPEN_TCP the
> same if you wish). IMHO not worth the effort, why not force all LAN users
> to use the local cacheing DNS server.
> > >
> > > Lonnie
> > >
> > >
> > > On Jul 15, 2012, at 4:01 PM, David Kerr wrote:
> > >
> > > > So, the OpenDNS was mentioned on this list a few days ago. I use
> this service and the mention on this list prompted me to check my settings
> to make sure that I was still appropriately blocking access to web site
> categories. And it started me thinking... it would be easy for a savvy
> user to reconfigure their client DNS settings such that it no longer
> pointed to 192.168.1.1 (or whatever AstLinux is on your network, or
> whavever DHCP returned_) and instead pointed to a public DNS server, maybe
> my ISP's DNS server.
> > > >
> > > > So... is there a way to configure the AstLinux firewall to block DNS
> requests from any internal client to any external DNS server? In other
> words, enforce internal clients to use the AstLinux DNS server. For extra
> credit... a rule that would never-the-less permit access to the OpenDNS
> servers 208.67.222.222 and 208.67.220.220.
> > > >
> > > > Thanks,
> > > > David
> > >
> > >
> > >
> > >
> > >
> ------------------------------------------------------------------------------
> > > Live Security Virtual Conference
> > > Exclusive live event will cover all the ways today's security and
> > > threat landscape has changed and how IT managers can respond.
> Discussions
> > > will include endpoint security, mobile security and the latest in
> malware
> > > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> > > _______________________________________________
> > > Astlinux-users mailing list
> > > [email protected]
> > > https://lists.sourceforge.net/lists/listinfo/astlinux-users
> > >
> > > Donations to support AstLinux are graciously accepted via PayPal to
> [email protected].
> > >
> > >
> ------------------------------------------------------------------------------
> > > Live Security Virtual Conference
> > > Exclusive live event will cover all the ways today's security and
> > > threat landscape has changed and how IT managers can respond.
> Discussions
> > > will include endpoint security, mobile security and the latest in
> malware
> > > threats.
> http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
> > > Astlinux-users mailing list
> > > [email protected]
> > > https://lists.sourceforge.net/lists/listinfo/astlinux-users
> > >
> > > Donations to support AstLinux are graciously accepted via PayPal to
> [email protected].
> >
> >
> >
> ------------------------------------------------------------------------------
> > Live Security Virtual Conference
> > Exclusive live event will cover all the ways today's security and
> > threat landscape has changed and how IT managers can respond. Discussions
> > will include endpoint security, mobile security and the latest in malware
> > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> > _______________________________________________
> > Astlinux-users mailing list
> > [email protected]
> > https://lists.sourceforge.net/lists/listinfo/astlinux-users
> >
> > Donations to support AstLinux are graciously accepted via PayPal to
> [email protected].
> >
> >
> ------------------------------------------------------------------------------
> > Live Security Virtual Conference
> > Exclusive live event will cover all the ways today's security and
> > threat landscape has changed and how IT managers can respond. Discussions
> > will include endpoint security, mobile security and the latest in malware
> > threats.
> http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
> > Astlinux-users mailing list
> > [email protected]
> > https://lists.sourceforge.net/lists/listinfo/astlinux-users
> >
> > Donations to support AstLinux are graciously accepted via PayPal to
> [email protected].
>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Astlinux-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to
> [email protected].
>
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Astlinux-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to
[email protected].
