Firewall destination address use host instead of IP

I have configured a firewall rule, but now suddenly the IP of a domain has been changed.
the domain name is: m2.tuyaeu.com
and I now have added the additional ip


but it took me a while to find the issue, and I would like to add the host name instead of the ip address here.
is this possible?

You can populate nftset from nslookups , or convince dnsmasq to do it.

> host m2.tuyaeu.com
m2.tuyaeu.com has address 3.65.95.68
m2.tuyaeu.com has address 18.192.43.219
m2.tuyaeu.com has address 3.64.85.28

The firewall works on IP addresses, it cannot resolve the domain name for each packet. You can configure it using the current IP address, but a domain name may resolve to multiple addresses, and those can change.

You can use an ipset, and populate it from dnsmasq, but you must also highjack DNS requests... not trivial.

Please show me an example of how to do this, it will be useful in the future.

vi /etc/config/dhcp - and then where or what needs to be done?

I see the ip addresses have already changed since yesterday

root@OpenWrt:/etc/avahi# nslookup m2.tuyaeu.com
Server:         127.0.0.1
Address:        127.0.0.1:53

Non-authoritative answer:
Name:   m2.tuyaeu.com
Address: 3.67.242.33
Name:   m2.tuyaeu.com
Address: 3.66.126.37
Name:   m2.tuyaeu.com
Address: 35.156.42.116

Non-authoritative answer:

so I would emagine,
analyse this result and you UCI those lines into the fireall

uci del firewall.cfg1492bd.dest_ip
uci add_list firewall.cfg1492bd.dest_ip='18.184.31.90'
uci add_list firewall.cfg1492bd.dest_ip='35.156.44.172'
uci add_list firewall.cfg1492bd.dest_ip='3.120.92.134'
uci add_list firewall.cfg1492bd.dest_ip='18.192.43.219'
uci add_list firewall.cfg1492bd.dest_ip='52.58.249.45'
uci add_list firewall.cfg1492bd.dest_ip='18.185.31.196'
uci add_list firewall.cfg1492bd.dest_ip='3.124.225.12'
uci add_list firewall.cfg1492bd.dest_ip='35.156.42.116'

but is the IP's are changing on a daily bases, how often would I do this? because probably I need a network restart as well.

use ipset/nftset, this can be coupled with DNSMasq and will refresh it on the fly
https://openwrt.org/docs/guide-user/firewall/fw3_configurations/dns_ipset
https://openwrt.org/docs/guide-user/firewall/fw3_configurations/dns_ipset#web_interface

2 Likes

You can use banIP for that as well, just add the given Domain to the block- or allowlist, See readme for details.

2 Likes

I already have a dns block in place, but this one limits the amount of traffic,
for now I use the dns block and for network traffic limit I removed the destination IP