I'm sure I'm being a peanut, but I can't for-the-life-of-me figure out why the following rule isn't working as expected; I can still ping 8.8.8.8.
Perhaps it's the order of the rules? Or a conflicting rule?
config rule
option dest 'wan'
option src 'lan'
option target 'REJECT'
option name 'Block external DNS WAN zone'
list dest_ip '8.8.8.8'
list dest_ip '8.8.4.4'
config rule
option dest 'wan_vpn'
option src 'lan'
option target 'REJECT'
option name 'Block external DNS WAN VPN zone'
list dest_ip '8.8.8.8'
list dest_ip '8.8.4.4'
Here's my full firewall config:
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src '*'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src '*'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option dest_port '546-547'
option src 'guest'
option name 'DHCPv6 Guest'
option family 'ipv6'
option target 'ACCEPT'
list proto 'udp'
config rule
option dest_port '546-547'
option src 'family'
option name 'DHCPv6 Family'
option family 'ipv6'
option target 'ACCEPT'
list proto 'udp'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option target 'ACCEPT'
option src 'wan'
option proto 'udp'
option dest_port '52000'
option name 'Allow-Wireguard-Inbound'
config rule
option target 'ACCEPT'
option src 'wan'
option name 'Allow-Plex-Inbound'
option proto 'tcp'
option dest_port '2096'
config rule
option target 'ACCEPT'
option proto 'udp'
option dest_port '67-68'
option name 'guest_dhcp'
option src 'guest'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
option name 'guest_dns'
option src 'guest'
config rule
option src 'guest'
option name 'Disable Modem Access Guest'
option dest 'wan'
option dest_ip '192.168.2.1'
option target 'DROP'
config rule
option target 'ACCEPT'
option proto 'udp'
option dest_port '67-68'
option name 'family_dhcp'
option src 'family'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
option name 'family_dns'
option src 'family'
config rule
option name 'Disable Modem Access Family'
option src 'family'
option dest 'wan'
option dest_ip '192.168.2.1'
option target 'DROP'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan streaming wgserver'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'modem wan wan6'
config zone
option name 'wan_vpn'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'mullvad'
option masq6 '1'
option masq6_privacy '1'
config include
option path '/etc/firewall.user'
config defaults
option input 'REJECT'
option output 'REJECT'
option forward 'REJECT'
config redirect 'intercept_dns'
option src 'lan'
option proto 'tcp udp'
option src_dport '53'
option dest_port '53'
option target 'DNAT'
option dest_ip '192.168.10.1'
option name 'Intercept-DNS'
config zone
option name 'guest'
option network 'guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config forwarding
option dest 'wan'
option src 'guest'
config redirect
option target 'DNAT'
option src 'guest'
option proto 'tcp udp'
option src_dport '53'
option dest_ip '10.0.0.1'
option dest_port '53'
option name 'Intercept-DNS-Guest'
config zone
option name 'family'
option input 'REJECT'
option forward 'REJECT'
option network 'family'
option output 'ACCEPT'
config forwarding
option dest 'wan'
option src 'family'
config redirect
option target 'DNAT'
option src 'family'
option proto 'tcp udp'
option src_dport '53'
option dest_port '53'
option dest_ip '192.168.30.1'
option name 'Intercept-DNS-Family'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option dest_ip '192.168.20.239'
option dest_port '32400'
option name 'plex'
option proto 'tcp'
option src_dport '2096'
config forwarding
option dest 'wan_vpn'
option src 'lan'
config forwarding
option dest 'wan_vpn'
option src 'family'
config include 'nat6'
option path '/etc/firewall.nat6'
option reload '1'
config forwarding
option dest 'wan'
option src 'lan'
config rule
option dest 'wan'
option src 'lan'
option target 'REJECT'
option name 'Block external DNS WAN zone'
list dest_ip '8.8.8.8'
list dest_ip '8.8.4.4'
config rule
option dest 'wan_vpn'
option src 'lan'
option target 'REJECT'
option name 'Block external DNS WAN VPN zone'
list dest_ip '8.8.8.8'
list dest_ip '8.8.4.4'
Thanks. Same as mine, except I have multiple dest_ip entries:
config rule
option dest 'wan'
option src 'lan'
option target 'REJECT'
option name 'Block external DNS WAN zone'
list dest_ip '8.8.8.8'
list dest_ip '8.8.4.4'
list dest_ip '2001:4860:4860::8888'
list dest_ip '2001:4860:4860::8844'
config rule
option dest 'wan_vpn'
option src 'lan'
option target 'REJECT'
option name 'Block external DNS WAN VPN zone'
list dest_ip '8.8.8.8'
list dest_ip '8.8.4.4'
list dest_ip '2001:4860:4860::8888'
list dest_ip '2001:4860:4860::8844'
I'll try placing the IPv6 addresss into their own stanza and see if that helps. Currently, I can't ping the IPv4 addresses, but I can the IPv6.
@lleachii I've got the DNS intercept rules set, but on one handset, the second DNS entry is hard-coded to 8.8.8.8 and seems to 'prefer' that under circumstances which I haven't fully determined (seems to be around toggling Android's Private DNS option). Odd.
Your rules are missing proto=all again, and the default is tcpudp which does not include icmp.
But actually, I see no point in blocking icmp.
To minimize the rule set, you can also specify dest=*.
However, if you have configured DNS hijacking, there's no much meaning in using REJECT, unless you want to block DoT and DoH.
config rule
option dest '*'
option src '*'
option target 'REJECT'
option name 'Block external DNS'
option proto 'all'
list dest_ip '8.8.8.8'
list dest_ip '8.8.4.4'
list dest_ip '2001:4860:4860::8888'
list dest_ip '2001:4860:4860::8844'
...still the same. ping to either of the IPv4 addresses fails; ping6 to the IPv6 addresses succeeeds. I even tried restricting proto to icmp-ipv6 (from /etc/protocols) and still no luck.
agree; but it's the 'path of least resistance' when it comes to testing the rule. And, perhaps, given the results, I've stumbled across a bug? I'd be interested to know if anybody else has problems blocking the IPv6 addresses using this firewall rule.