Hosts.deny on OpenWrt

Does hosts.deny work on openwrt? I searched but could not find anything other than mostly iptables references.

What exactly are you trying to achieve?

To use hosts.deny like one would on any other Linux box.
However, in this case, to block hosts names from being reached from the openwrt device.

Google says it is deprecated.
You should use the firewall service which configuration is translated into iptables/nftables ruleset.

1 Like

Unless I am mistaken, that is not how hosts.deny was supposed to work... if I recall correctly, that file contained a list of machines that where blocked from reaching services (those that honored the file) on the device, not the other way around.


The router isn't being used as a firewall or router, so it doesn't have iptables or a firewall installed.
And yes, you're right about hosts.deny blocking incoming so I guess I have to find another way. I thought maybe that file worked both ways.

1 Like

TCP wrappers is long dead (and eduperez is correct, it is for access to services on the host).

1 Like

Yes, I know it's incoming only. I'd not used hosts.deny in such a long time that I thought it was two way. Anyone know how to block outgoing to certain domains without using iptables? Just something creative.

Use nftables


That's what firewalls are for. Then again, it's nearly impossible to block by host name, as a given resource is now often somewhere on a CDN, and IP addresses are shared among multiple DNS names.

1 Like

Can you block those sites on the DNS?

1 Like

The way I've done it is to just re-route the domains I want blocked to but I figure there's got to be a better way. Since I'm not running iptables or firewall, it's why I need a somewhat unusual way of doing this otherwise, it would be simple.
Also, I need to block and unblock so using DNS won't work either.

Maybe I'm missing something.

You want to inspect every packet that goes through the device and make a decision as to if you want to pass it or drop it.

No matter what you want to call it, that's a firewall.

Why are you so adverse to using tools that are purpose designed for that?

Yes, you can do it with routing tables, but blackhole them, don't reroute to

% nft add set filter blackhole { type ipv4_addr;}
% nft add element filter blackhole {, }
% nft add rule ip input ip saddr @blackhole drop

(Though in your case, it is the daddr you're looking for, as well as forward and output, I believe)

1 Like

Not adverse to anything, just have certain requirements at times that don't allow traditional tools otherwise I use them.

I already know all of the usual ways, I'm looking for a non traditional way to block outgoing.
Sometimes posting in forums is the wrong thing to do since most cannot think outside the box.

Since you seem unable to adequately describe any of those reasons, then have fun running your interfaces in promiscuous mode and running a user-space program to inspect and forward all your packets. Or build your own hooks into the netfilter framework. Or...

Plenty of ways, but you provide no rational explanation to select among them.

Without any explanation for why the standard firewall tools won't work for you, quite frankly, it's a waste of time to respond to an unexplained desire to do things in a bizarre way.

Just unplug your Internet. Done and done.

For that matter, with how poorly you've described your use case and restrictions, the easy solution is don't use those sites that you don't want to connect to.


Why are you so negative all the time Jeff? You always end up acting this way.I asked a simple question and explained why I needed to get creative. If you don't have any answers, you could simply leave the question to others and not bother throwing your negative two cents in.

Note that your lead post failed to indicate that you wanted to use host.deny backwards.

Does not explain anything.

Fails to explain why (especially since you likely have it installed)

Expecting meaningful answers requires asking meaningful questions.


Dude, just go away, you're so freaking negative. Every time you reply to my posts you turn into a jerk. I'd rather communicate with others who aren't so high and mighty.

You can perform the filtering with:

  • Firewall
  • DNS
  • Routing

Is it still not enough?

I know those things and as I said, not using anything like that. It's fine, even I found a way which doesn't involve any of those things as I explained earlier.

The concensus here however is those tools. Ok, thanks for the input. The question is answered.