How to create Firewall Traffic Rules restricting source address to fqdns domain name, not ip address numbers in quad-dotted notation?

I am searching for how to create Traffic Rules restricting source address to fqdns domain name, not ip address numbers in quad-dotted notation?

I found and read information on the packages of ipset and resolveip however I do not see any method for configuring in luci webgui to restrict source addresses in Firewall Traffic Rules to fqdns without specifying a numbered ip.ip.ip.ip

Is this possible in openwrt?

Thanks

Just a thought on why this is not trivial: Packets do not have a source/destination FQDNS, they have a source/destination IP address. So, when should the FQDNS be resolved to an IP address? When the rule is created? Each time a packet reaches the firewall?

1 Like

What's the use case here?
As someone mentioned, when should we resolve the domain? And the most important thing: What's considered to be trustworthy source? If your DNS is pointing to one with not up-to-date information, then your firewall rule will be acting upon a wrong connection stream. And also, what if DNS lookup failed? Then your firewall simply stuck because it can't lookup.

The ipset option is not exposed in Luci, but it is rather straight forward procedure, as explained in the wiki.

1 Like