Firewall rules based on FQDN

Hi,

I've configured the firewall to block everything and will add specific rules to allow certain scenarios e.g. get mail via pop3 from GMX. Therefore, I'd use -d pop.gmx.net with iptables and this would create two additional rules since at this time the name resolution returns two A records:

nslookup pop.gmx.net
Server:		127.0.0.1
Address:	127.0.0.1:53

Non-authoritative answer:
Name:	pop.gmx.net
Address: 212.227.17.169
Name:	pop.gmx.net
Address: 212.227.17.185

Of course, as I don't know when they will change their setup it's not the best option to add these ip addresses as destination. How does OpenWRT could handle FQDNs and dynamically update firewall rules accordingly?

I saw this thread recommending ipset without dynamic updates. And this thread which looks promising but I was wondering if there is a more comfortable way?

TIA
Roland

Think about this: when and how should the firewall update its rules, to reflect changes on the name resolution? with a DNS query, on each packet? daily? ...? No, the firewall will not update the rules, once they have been configured.

Your options are to use an ipset and populate it from local DNS queries, or use your own script to do it at regular intervals.

Just to clarify and make sure I am reading this in the correct context, is your intention to have a domain-based whitelist-only type scenario?

Freetz did it once a day by executing the script onlinechanged which flushed all rules and created them again. No idea how the Lancom router did it.

Whitelist-only, yes. For internal rules ip addresses are fine since I know when I do changes. External I'd prefer to use FQDNs.

In that case, I would suggest for your consideration a ready-made solution of utilizing the BanIP app. It offiers:

1. A whitelist-only option
2. Has an inherent ability to lookup FQDN's to get multiple IPs [ IPV4 &IPV6 ] ( useful for those domains with multiple IP / CDN hosting )
3. Automatically applies both inbound / outbound firewall rules for IPs of blocked domains.
4. Will re-query / refresh IP lookups on FQDNs on periodic basis ( which you can further control by secondary scripted processes. You can also queue a manual refresh of address query via the LUCI interface at any time.
5. Also allows for other whitelisting or blocklsting criteria.
   All allows or blocklists will automatically apply to firewall rules without setting manual ones.

Below is a small sample of how the allow list would work. The top portion would be the FQDNs you populate in the whitelist, the bottom portion would be the result of what is systematically populated during intial automated, or manual refreshes of address lookups. ( Both IPV4 and IPV6 addresses will apply based on your configuration. The example below is IPV4 only )

openwrt.org
forum.openwrt.org
quora.com

---- BELOW IS A SAMPLE OF WHAT IS SYSTEMATICALLY POPULATED BY FQDN LOOKUP -----
64.226.122.113                            # 'openwrt.org' added on 2024-02-26 05:22:32
139.59.210.197                            # 'forum.openwrt.org' added on 2024-02-26 05:22:32
52.203.187.31                             # 'quora.com' added on 2024-02-26 05:22:33
52.205.196.112                            # 'quora.com' added on 2024-02-26 05:22:33
52.203.242.60                             # 'quora.com' added on 2024-02-26 05:22:33
52.2.165.64                               # 'quora.com' added on 2024-02-26 05:22:33
52.203.132.113                            # 'quora.com' added on 2024-02-26 05:22:33
52.205.132.38                             # 'quora.com' added on 2024-02-26 05:22:33
52.203.213.178                            # 'quora.com' added on 2024-02-26 05:22:33
52.20.31.155                              # 'quora.com' added on 2024-02-26 05:22:33

There are many more options and possiblities with the app. For additional information, see the application support page.
https://github.com/openwrt/packages/blob/master/net/banip/files/README.md

Looks pretty interesting (but also like cracking nuts with a sledgehammer), will take a look at it. Thanks!