[SOLVED] 8.8.8.8 and 8.8.4.4 not being blocked despite firewall rule

tectonic · July 25, 2020, 7:58am

Good morning,

I'm sure I'm being a peanut, but I can't for-the-life-of-me figure out why the following rule isn't working as expected; I can still ping 8.8.8.8.

Perhaps it's the order of the rules? Or a conflicting rule?

config rule                                      
        option dest 'wan'                        
        option src 'lan'                         
        option target 'REJECT'                   
        option name 'Block external DNS WAN zone'
        list dest_ip '8.8.8.8'                   
        list dest_ip '8.8.4.4'                   
                                                 
config rule                                      
        option dest 'wan_vpn'                    
        option src 'lan'                         
        option target 'REJECT'                   
        option name 'Block external DNS WAN VPN zone'
        list dest_ip '8.8.8.8'                   
        list dest_ip '8.8.4.4'

Here's my full firewall config:

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src '*'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src '*'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option dest_port '546-547'
	option src 'guest'
	option name 'DHCPv6 Guest'
	option family 'ipv6'
	option target 'ACCEPT'
	list proto 'udp'

config rule
	option dest_port '546-547'
	option src 'family'
	option name 'DHCPv6 Family'
	option family 'ipv6'
	option target 'ACCEPT'
	list proto 'udp'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option target 'ACCEPT'
	option src 'wan'
	option proto 'udp'
	option dest_port '52000'
	option name 'Allow-Wireguard-Inbound'

config rule
	option target 'ACCEPT'
	option src 'wan'
	option name 'Allow-Plex-Inbound'
	option proto 'tcp'
	option dest_port '2096'

config rule
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '67-68'
	option name 'guest_dhcp'
	option src 'guest'

config rule
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'
	option name 'guest_dns'
	option src 'guest'

config rule
	option src 'guest'
	option name 'Disable Modem Access Guest'
	option dest 'wan'
	option dest_ip '192.168.2.1'
	option target 'DROP'

config rule
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '67-68'
	option name 'family_dhcp'
	option src 'family'

config rule
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'
	option name 'family_dns'
	option src 'family'

config rule
	option name 'Disable Modem Access Family'
	option src 'family'
	option dest 'wan'
	option dest_ip '192.168.2.1'
	option target 'DROP'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan streaming wgserver'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'modem wan wan6'

config zone
	option name 'wan_vpn'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'mullvad'
	option masq6 '1'
	option masq6_privacy '1'

config include
	option path '/etc/firewall.user'

config defaults
	option input 'REJECT'
	option output 'REJECT'
	option forward 'REJECT'

config redirect 'intercept_dns'
	option src 'lan'
	option proto 'tcp udp'
	option src_dport '53'
	option dest_port '53'
	option target 'DNAT'
	option dest_ip '192.168.10.1'
	option name 'Intercept-DNS'

config zone
	option name 'guest'
	option network 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config forwarding
	option dest 'wan'
	option src 'guest'

config redirect
	option target 'DNAT'
	option src 'guest'
	option proto 'tcp udp'
	option src_dport '53'
	option dest_ip '10.0.0.1'
	option dest_port '53'
	option name 'Intercept-DNS-Guest'

config zone
	option name 'family'
	option input 'REJECT'
	option forward 'REJECT'
	option network 'family'
	option output 'ACCEPT'

config forwarding
	option dest 'wan'
	option src 'family'

config redirect
	option target 'DNAT'
	option src 'family'
	option proto 'tcp udp'
	option src_dport '53'
	option dest_port '53'
	option dest_ip '192.168.30.1'
	option name 'Intercept-DNS-Family'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option dest_ip '192.168.20.239'
	option dest_port '32400'
	option name 'plex'
	option proto 'tcp'
	option src_dport '2096'

config forwarding
	option dest 'wan_vpn'
	option src 'lan'

config forwarding
	option dest 'wan_vpn'
	option src 'family'

config include 'nat6'
	option path '/etc/firewall.nat6'
	option reload '1'

config forwarding
	option dest 'wan'
	option src 'lan'

config rule
	option dest 'wan'
	option src 'lan'
	option target 'REJECT'
	option name 'Block external DNS WAN zone'
	list dest_ip '8.8.8.8'
    	list dest_ip '8.8.4.4'

config rule
	option dest 'wan_vpn'
	option src 'lan'
	option target 'REJECT'
	option name 'Block external DNS WAN VPN zone'
	list dest_ip '8.8.8.8'
    	list dest_ip '8.8.4.4'

tectonic · July 25, 2020, 8:17am

ah got it working. Added:

option proto 'all'

sml156 · July 26, 2020, 11:23pm

If your trying to block Googles DNS servers you might as well add their IPv6 IP's

2001:4860:4860::8888
2001:4860:4860::8844

tectonic · July 27, 2020, 7:33am

Good idea; have done. Anything to stop Android forcing DNS servers on me. Interestingly, ping6 to those IPs still works.

lleachii · July 27, 2020, 11:33am

Odd...did you block forward and output?

https://openwrt.org/docs/guide-user/services/dns/intercept

sml156 · July 27, 2020, 5:01pm

I used this tutorial to get it working, It uses luci
https://support.vpnsecure.me/articles/tips-tricks/block-google-dns-open-wrt

Here is my firewall config

config rule
        option src 'lan'
        option name 'dnsIPv6-8'
        option dest 'wan'
        option dest_ip '2001:4860:4860::8888'
        option target 'REJECT'
        option proto 'all'

tectonic · July 27, 2020, 7:11pm

Thanks. Same as mine, except I have multiple dest_ip entries:

config rule                                      
        option dest 'wan'                        
        option src 'lan'                         
        option target 'REJECT'                   
        option name 'Block external DNS WAN zone'
        list dest_ip '8.8.8.8'                   
        list dest_ip '8.8.4.4'           
        list dest_ip '2001:4860:4860::8888'                   
        list dest_ip '2001:4860:4860::8844'      
                                                 
config rule                                      
        option dest 'wan_vpn'                    
        option src 'lan'                         
        option target 'REJECT'                   
        option name 'Block external DNS WAN VPN zone'
        list dest_ip '8.8.8.8'                   
        list dest_ip '8.8.4.4'
        list dest_ip '2001:4860:4860::8888'                   
        list dest_ip '2001:4860:4860::8844'

I'll try placing the IPv6 addresss into their own stanza and see if that helps. Currently, I can't ping the IPv4 addresses, but I can the IPv6.

@lleachii I've got the DNS intercept rules set, but on one handset, the second DNS entry is hard-coded to 8.8.8.8 and seems to 'prefer' that under circumstances which I haven't fully determined (seems to be around toggling Android's Private DNS option). Odd.

vgaetera · July 27, 2020, 11:53pm

Your rules are missing proto=all again, and the default is tcpudp which does not include icmp.
But actually, I see no point in blocking icmp.

To minimize the rule set, you can also specify dest=*.
However, if you have configured DNS hijacking, there's no much meaning in using REJECT, unless you want to block DoT and DoH.

tectonic · July 28, 2020, 8:31am

okay, so the rule is now this (thanks, @vgaetera)

config rule                                      
        option dest '*'                    
        option src '*'                         
        option target 'REJECT'                   
        option name 'Block external DNS'
        option proto 'all'
        list dest_ip '8.8.8.8'                   
        list dest_ip '8.8.4.4'
        list dest_ip '2001:4860:4860::8888'                   
        list dest_ip '2001:4860:4860::8844'

...still the same. ping to either of the IPv4 addresses fails; ping6 to the IPv6 addresses succeeeds. I even tried restricting proto to icmp-ipv6 (from /etc/protocols) and still no luck.

agree; but it's the 'path of least resistance' when it comes to testing the rule. And, perhaps, given the results, I've stumbled across a bug? I'd be interested to know if anybody else has problems blocking the IPv6 addresses using this firewall rule.

vgaetera · July 28, 2020, 8:35am

ip6tables-save

What does this say?

tectonic · July 28, 2020, 9:56am

See below for full output; amongst which is:

-A FORWARD -d 2001:4860:4860::8888/128 -m comment --comment "!fw3: Block external DNS" -j reject
-A FORWARD -d 2001:4860:4860::8844/128 -m comment --comment "!fw3: Block external DNS" -j reject

Full output

 Generated by ip6tables-save v1.8.3 on Tue Jul 28 10:51:09 2020
*nat
:PREROUTING ACCEPT [6840:1231057]
:INPUT ACCEPT [2520:234113]
:OUTPUT ACCEPT [2049:294443]
:POSTROUTING ACCEPT [2771:326358]
:postrouting_family_rule - [0:0]
:postrouting_guest_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:postrouting_wan_vpn_rule - [0:0]
:prerouting_family_rule - [0:0]
:prerouting_guest_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:prerouting_wan_vpn_rule - [0:0]
:zone_family_postrouting - [0:0]
:zone_family_prerouting - [0:0]
:zone_guest_postrouting - [0:0]
:zone_guest_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
:zone_wan_vpn_postrouting - [0:0]
:zone_wan_vpn_prerouting - [0:0]
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i br-streaming -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i wgserver -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i eth0 -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i mullvad -m comment --comment "!fw3" -j zone_wan_vpn_prerouting
-A PREROUTING -i br-guest -m comment --comment "!fw3" -j zone_guest_prerouting
-A PREROUTING -i br-family -m comment --comment "!fw3" -j zone_family_prerouting
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o br-streaming -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o wgserver -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o eth0 -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o mullvad -m comment --comment "!fw3" -j zone_wan_vpn_postrouting
-A POSTROUTING -o br-guest -m comment --comment "!fw3" -j zone_guest_postrouting
-A POSTROUTING -o br-family -m comment --comment "!fw3" -j zone_family_postrouting
-A zone_family_postrouting -m comment --comment "!fw3: Custom family postrouting rule chain" -j postrouting_family_rule
-A zone_family_prerouting -m comment --comment "!fw3: Custom family prerouting rule chain" -j prerouting_family_rule
-A zone_guest_postrouting -m comment --comment "!fw3: Custom guest postrouting rule chain" -j postrouting_guest_rule
-A zone_guest_prerouting -m comment --comment "!fw3: Custom guest prerouting rule chain" -j prerouting_guest_rule
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
-A zone_wan_vpn_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_vpn_postrouting -m comment --comment "!fw3: Custom wan_vpn postrouting rule chain" -j postrouting_wan_vpn_rule
-A zone_wan_vpn_prerouting -m comment --comment "!fw3: Custom wan_vpn prerouting rule chain" -j prerouting_wan_vpn_rule
COMMIT
# Completed on Tue Jul 28 10:51:09 2020
# Generated by ip6tables-save v1.8.3 on Tue Jul 28 10:51:09 2020
*mangle
:PREROUTING ACCEPT [927838:799457359]
:INPUT ACCEPT [17280:2881545]
:FORWARD ACCEPT [908370:795877739]
:OUTPUT ACCEPT [15917:2129317]
:POSTROUTING ACCEPT [923941:797982393]
-A FORWARD -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o pppoe-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o mullvad -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan_vpn MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Tue Jul 28 10:51:09 2020
# Generated by ip6tables-save v1.8.3 on Tue Jul 28 10:51:09 2020
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:banIP - [0:0]
:forwarding_family_rule - [0:0]
:forwarding_guest_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:forwarding_wan_vpn_rule - [0:0]
:input_family_rule - [0:0]
:input_guest_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:input_wan_vpn_rule - [0:0]
:output_family_rule - [0:0]
:output_guest_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:output_wan_vpn_rule - [0:0]
:reject - [0:0]
:zone_family_dest_ACCEPT - [0:0]
:zone_family_dest_REJECT - [0:0]
:zone_family_forward - [0:0]
:zone_family_input - [0:0]
:zone_family_output - [0:0]
:zone_family_src_REJECT - [0:0]
:zone_guest_dest_ACCEPT - [0:0]
:zone_guest_dest_REJECT - [0:0]
:zone_guest_forward - [0:0]
:zone_guest_input - [0:0]
:zone_guest_output - [0:0]
:zone_guest_src_REJECT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_DROP - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
:zone_wan_vpn_dest_ACCEPT - [0:0]
:zone_wan_vpn_dest_REJECT - [0:0]
:zone_wan_vpn_forward - [0:0]
:zone_wan_vpn_input - [0:0]
:zone_wan_vpn_output - [0:0]
:zone_wan_vpn_src_REJECT - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A INPUT -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A INPUT -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A INPUT -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i br-streaming -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i wgserver -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i eth0 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i mullvad -m comment --comment "!fw3" -j zone_wan_vpn_input
-A INPUT -i br-guest -m comment --comment "!fw3" -j zone_guest_input
-A INPUT -i br-family -m comment --comment "!fw3" -j zone_family_input
-A INPUT -m comment --comment "!fw3" -j reject
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A FORWARD -d 2001:4860:4860::8888/128 -m comment --comment "!fw3: Block external DNS" -j reject
-A FORWARD -d 2001:4860:4860::8844/128 -m comment --comment "!fw3: Block external DNS" -j reject
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i br-streaming -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i wgserver -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i eth0 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i mullvad -m comment --comment "!fw3" -j zone_wan_vpn_forward
-A FORWARD -i br-guest -m comment --comment "!fw3" -j zone_guest_forward
-A FORWARD -i br-family -m comment --comment "!fw3" -j zone_family_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o br-streaming -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o wgserver -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o eth0 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o mullvad -m comment --comment "!fw3" -j zone_wan_vpn_output
-A OUTPUT -o br-guest -m comment --comment "!fw3" -j zone_guest_output
-A OUTPUT -o br-family -m comment --comment "!fw3" -j zone_family_output
-A OUTPUT -m comment --comment "!fw3" -j reject
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp6-port-unreachable
-A zone_family_dest_ACCEPT -o br-family -m comment --comment "!fw3" -j ACCEPT
-A zone_family_dest_REJECT -o br-family -m comment --comment "!fw3" -j reject
-A zone_family_forward -m comment --comment "!fw3: Custom family forwarding rule chain" -j forwarding_family_rule
-A zone_family_forward -m comment --comment "!fw3: Zone family to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_family_forward -m comment --comment "!fw3: Zone family to wan_vpn forwarding policy" -j zone_wan_vpn_dest_ACCEPT
-A zone_family_forward -m comment --comment "!fw3" -j zone_family_dest_REJECT
-A zone_family_input -m comment --comment "!fw3: Custom family input rule chain" -j input_family_rule
-A zone_family_input -p udp -m udp --dport 546:547 -m comment --comment "!fw3: DHCPv6 Family" -j ACCEPT
-A zone_family_input -p udp -m udp --dport 67:68 -m comment --comment "!fw3: family_dhcp" -j ACCEPT
-A zone_family_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: family_dns" -j ACCEPT
-A zone_family_input -p udp -m udp --dport 53 -m comment --comment "!fw3: family_dns" -j ACCEPT
-A zone_family_input -m comment --comment "!fw3" -j zone_family_src_REJECT
-A zone_family_output -m comment --comment "!fw3: Custom family output rule chain" -j output_family_rule
-A zone_family_output -m comment --comment "!fw3" -j zone_family_dest_ACCEPT
-A zone_family_src_REJECT -i br-family -m comment --comment "!fw3" -j reject
-A zone_guest_dest_ACCEPT -o br-guest -m comment --comment "!fw3" -j ACCEPT
-A zone_guest_dest_REJECT -o br-guest -m comment --comment "!fw3" -j reject
-A zone_guest_forward -m comment --comment "!fw3: Custom guest forwarding rule chain" -j forwarding_guest_rule
-A zone_guest_forward -m comment --comment "!fw3: Zone guest to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_guest_forward -m comment --comment "!fw3" -j zone_guest_dest_REJECT
-A zone_guest_input -m comment --comment "!fw3: Custom guest input rule chain" -j input_guest_rule
-A zone_guest_input -p udp -m udp --dport 546:547 -m comment --comment "!fw3: DHCPv6 Guest" -j ACCEPT
-A zone_guest_input -p udp -m udp --dport 67:68 -m comment --comment "!fw3: guest_dhcp" -j ACCEPT
-A zone_guest_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: guest_dns" -j ACCEPT
-A zone_guest_input -p udp -m udp --dport 53 -m comment --comment "!fw3: guest_dns" -j ACCEPT
-A zone_guest_input -m comment --comment "!fw3" -j zone_guest_src_REJECT
-A zone_guest_output -m comment --comment "!fw3: Custom guest output rule chain" -j output_guest_rule
-A zone_guest_output -m comment --comment "!fw3" -j zone_guest_dest_ACCEPT
-A zone_guest_src_REJECT -i br-guest -m comment --comment "!fw3" -j reject
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_dest_ACCEPT -o br-streaming -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_dest_ACCEPT -o wgserver -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan_vpn forwarding policy" -j zone_wan_vpn_dest_ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_src_ACCEPT -i br-streaming -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_src_ACCEPT -i wgserver -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth0 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o pppoe-wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o pppoe-wan -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_DROP -o eth0 -m comment --comment "!fw3" -j DROP
-A zone_wan_dest_DROP -o pppoe-wan -m comment --comment "!fw3" -j DROP
-A zone_wan_dest_REJECT -o eth0 -m comment --comment "!fw3" -j reject
-A zone_wan_dest_REJECT -o pppoe-wan -m comment --comment "!fw3" -j reject
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -s fc00::/6 -d fc00::/6 -p udp -m udp --dport 546 -m comment --comment "!fw3: Allow-DHCPv6" -j ACCEPT
-A zone_wan_input -p udp -m udp --dport 52000 -m comment --comment "!fw3: Allow-Wireguard-Inbound" -j ACCEPT
-A zone_wan_input -p tcp -m tcp --dport 2096 -m comment --comment "!fw3: Allow-Plex-Inbound" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i eth0 -m comment --comment "!fw3" -j reject
-A zone_wan_src_REJECT -i pppoe-wan -m comment --comment "!fw3" -j reject
-A zone_wan_vpn_dest_ACCEPT -o mullvad -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_vpn_dest_ACCEPT -o mullvad -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_vpn_dest_REJECT -o mullvad -m comment --comment "!fw3" -j reject
-A zone_wan_vpn_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_vpn_forward -m comment --comment "!fw3: Custom wan_vpn forwarding rule chain" -j forwarding_wan_vpn_rule
-A zone_wan_vpn_forward -m comment --comment "!fw3" -j zone_wan_vpn_dest_REJECT
-A zone_wan_vpn_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_vpn_input -m comment --comment "!fw3: Custom wan_vpn input rule chain" -j input_wan_vpn_rule
-A zone_wan_vpn_input -m comment --comment "!fw3" -j zone_wan_vpn_src_REJECT
-A zone_wan_vpn_output -m comment --comment "!fw3: Custom wan_vpn output rule chain" -j output_wan_vpn_rule
-A zone_wan_vpn_output -m comment --comment "!fw3" -j zone_wan_vpn_dest_ACCEPT
-A zone_wan_vpn_src_REJECT -i mullvad -m comment --comment "!fw3" -j reject
COMMIT

vgaetera · July 28, 2020, 10:51am

github.com

openwrt/openwrt/blob/master/package/network/config/firewall/files/firewall.config#L100-L104


# Allow essential forwarded IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Forward
	option src		wan
	option dest		*

This rule should be limited to inbound traffic by default, but looks like you changed the src option.

tectonic · July 28, 2020, 8:53pm

Bingo!

That change was deliberate, as discussed here.

Simply moving the 'Block external DNS' rule so that it's the first entry has resolved it; I can no longer ping6 the two IP addresses.

system · August 7, 2020, 8:53pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.