Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Question about rules when redirecting DNS to firewall

    Scheduled Pinned Locked Moved Firewalling
    7 Posts 2 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      Trel
      last edited by

      I was looking at this: https://doc.pfsense.org/index.php/Redirecting_all_DNS_Requests_to_pfSense

      It said "If DNS requests to other DNS servers are blocked, such as in the Blocking DNS queries to external resolvers example, ensure the rule to pass DNS to 127.0.0.1 is above any rule that blocks DNS. "

      My question is if my DNS block rule blocks DNS requests to destinations which are "NOT This Firewall", then that line would not apply, correct?

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        As long as DNS is passed by a subsequent rule that should work.

        I'm not a fan of the "Not" checkbox.  It makes more sense to me to pass what you want then block the rest.

        For instance I would pass TCP/UDP 53 to This firewall then block TCP/UDP 53 to any. It's just clearer to me when I'm looking at the rule set.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • T
          Trel
          last edited by

          @Derelict:

          As long as DNS is passed by a subsequent rule that should work.

          I'm not a fan of the "Not" checkbox.  It makes more sense to me to pass what you want then block the rest.

          For instance I would pass TCP/UDP 53 to This firewall then block TCP/UDP 53 to any. It's just clearer to me when I'm looking at the rule set.

          I'm confused specifically because it's mentioning adding a pass rule to 127.0.0.1 on the LAN interface.

          If DNS requests to other DNS servers are blocked, such as in the Blocking DNS queries to external resolvers example, ensure the rule to pass DNS to 127.0.0.1 is above any rule that blocks DNS.

          That's what I'm unsure about in this situation.

          I have no problem doing it the way you said with a pass to "This Firewall" followed by a global block, but would that work in the case of the NAT redirection to 127.0.0.1?

          I added an attachment, this is what I have.
          Is that allow to 127.0.0.1 required due to the NAT rule or does the allow to "This firewall" cover that case as well is what I'm asking.

          dns_redirect_rules.png
          dns_redirect_rules.png_thumb

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            Pretty sure the self macro (aka This firewall) includes the addresses of loopback interfaces like 127.0.0.1 so that rule is redundant.

            self
                Expands to all addresses assigned to all interfaces.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • T
              Trel
              last edited by

              @Derelict:

              Pretty sure the self macro (aka This firewall) includes the addresses of loopback interfaces like 127.0.0.1 so that rule is redundant.

              self
                  Expands to all addresses assigned to all interfaces.

              So then if I had the rule specifically for the LAN IP (10.9.0.1) rather than "This Firewall" would the 127.0.0.1 still be needed in that case?  I'm just failing to see how that rule would ever trigger on the LAN interface, though I'm sure I'm probably misunderstanding something with how the NAT translation is handled.

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                I don't know what you did with the NAT.

                If you port forward TCP/UDP 53 on LAN to 127.0.0.1 the NAT happens before the firewall rule so you have to pass traffic to it.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • T
                  Trel
                  last edited by

                  @Derelict:

                  I don't know what you did with the NAT.

                  If you port forward TCP/UDP 53 on LAN to 127.0.0.1 the NAT happens before the firewall rule so you have to pass traffic to it.

                  Ok that's the part I wasn't clear on.  That due to NAT the Firewall actually does see a packet "LAN -> 127.0.0.1" when it processes the firewall rules.

                  That being said, I'm going to keep my pass rule as "This Firewall",  it makes my life easier in the long run.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.