Simple rule is not working
-
Rule on LAN interface to blok host 192.168.1.205 for visiting web page 213.180.204.3
I have reset states, reboot router, but host still can get on this site.
I tried to select only 80 port, diferent combinations of tcp/udp with no result
Where is my mistake?
-
ROFL. www.yandex.ru sure like hell does NOT use a single IP. Won't work. Unless you can work out the entire ASN in use, you need some DNS override or proxy.
This is what I get here ATM:
Non-authoritative answer: Name: www.yandex.ru Addresses: 2a02:6b8::3 213.180.204.3 213.180.193.3 93.158.134.3 -
Sory, i should add this to my first message. I tested access to yandex exactly by ip 213.180.204.3, but not by url. Need to block this ip.
-
Sigh. You CANNOT block Yandex by blocking a single IP.
-
I do not need to block yandex. I need to block 1 ip address.
-
Sigh. Maybe post some real example of what does not work and logs showing how it does not work. Not going to waste more time with "examples" that plain cannot ever work due to reasons already explained repeatedly.
-
It sounds like the user on host 192.168.1.205 is browsing to www.yandex.ru, not browsing to 213.180.204.3. As already stated, the DNS lookup is resolving to something different thatn 213.180.204.3 so your rule doesn't work. That's why it was suggested to do some DNS proxy/override; that would force www.yandex.ru to resolve to a single IP, then you could write a rule for that.
At least that's what I believe doktornotor is trying to say (if I'm wrong, please correct me).
-
Yeah, exactly. Blocking the single IP is totally useless.
-
Yeah, exactly. Blocking the single IP is totally useless.
Ok. I will ask another way.
There is a web site with some ip adress. One user open it via this ip adress. Can i block this ip adress to prevent user watch it with my example on attached screens? -
Clearly he doesn't get it.. Look at his last rule, dest 127.0.0.1 How these people have admin to firewalls in the first place is just beyond me..
Look I get back 3 IPs when I query that, and the ttl is 300 seconds. So those could change every 5 minutes, etc.. As dok has been trying to tell you.. You can not just block that single IP. You need to block ALL the ips that site might resolve too. And btw it sure is not going to be on UDP..
If you are actually testing to that 1 IP and its still working then you have not cleared your states.. So create rule, log said rule, and then test.. Clicky Click blocked traffic..
-
Well, that 127.0.0.1 NAT rule is a workaround for NUT idiocy.
-
What traffic would ever hit his lan interface with dest loopback?? That rule is not linked to a port forward, and the rule above it any any should allow any such traffic, etc.
-
What traffic would ever hit his lan interface with dest loopback??
It's a NATed rule on LAN. (LAN interface IP -> localhost).
-
That rule is not a NAT rule.. Its on the LAN interface.. it is not linked to a NAT, and the NAT if in place would be allowed by the any any rule he has..
The thread you linked too stated
"You can add a port forward for TCP port 3493 on the interface of your choice (lan, wan, etc) to localhost:3493 and regain remote access."He is not showing his port forward page he is showing his lan interface.. The firewall rule is not linked and pointless because the any any rule would allow the nat.
-
This debate is rather off-topic. Please, see the NAT prefix in the rule name. And yes, of course it is on LAN inteface. You don't share UPS over WAN on sane setups. This is the only way to use NUT as remote networked UPS, due to retarded upstream. I am using the very same thing myself. Without NAT, you get no access to the UPS. The daemon binds to localhost ONLY.
