Hi Jonas, On Fri, 31 Oct 2025 at 17:31, Jonas Lochmann <[email protected]> wrote: > > Am Fri, Oct 31, 2025 at 04:30:49PM +0000, schrieb Aaron Gray: > > The initial concept is very simple, basically tallying all outgoing > > and optionally incoming IP packets with a record of all DNS IP > > requests, by using an iptables extension module. > > Why iptables and not nftables?
Sorry I actually meant nftables, I have been using firewalling since the mid 2000's for server. > Why an extension module? I thought a purpose built module would potentially be more efficient and only possibly require one or two rules. > All you need > is already in the kernel: ip sets, rules and forwarding specific packets > (DNS) to the user space. So does the existing OpenVPN actually check IP's against previous DNS request reply IP's ? If it is not an out of the box configuration, how would I configure OpenVPN to do so please ? > > In addition to this, is the idea of an OpenWRT web user interface > > extension to manage connections, this would show all open connections. > > With the additional optional functionality of only allowing new > > connections to new IP addresses and/or domains when they are validated > > by the user. Any unknown IP traffic will be denied and flagged up with > > reverse IP lookup attempted and domains displayed. Opinions for > > allowing a whitelists of all Ubuntu, Debian, Microsoft Windows, > > installer and update IP's can also be added. > > Honestly, this sounds like some toy for people that don't know what > they are doing. I am not really that much of a noob, I did happen to have run dual mirrored servers for 7 years with 36 hours downtime due to power and internet outages, of which 1 hour was my fault ;) For running multiple devices using OpenWRT I would find proper instrumentation more than useful. > CDNs limit its use. How do Content Delivery Networks work with this, is this just blacklists and whitelists rather than DNS based blacklists ? If there are whitelists for all the major operating systems installation and updates this would be great ! > For restrictive setups, proxies are used today. Those could be > transparent proxies. I am not really sure how proxies are relevant, please explain. Sorry I don't wish to sound rude, I really don't know OpenWRT itself that well yet despite using it for a while. Regards, Aaron -- Aaron Gray - https://github.com/AaronNGray Meta-Mathematician, Independent Open Source Software Engineer, Computer Language Researcher and Designer, Type Theorist, Computer Scientist, Environmentalist and Climate Science Researcher and Disseminator. _______________________________________________ openwrt-devel mailing list [email protected] https://lists.openwrt.org/mailman/listinfo/openwrt-devel
