PiHole for Friends and Family
-
@aaronstuder I am working on it already, haven't had time to finish it yet due to other work. Will post as soon as it is ready.
-
I don't get the point of this. I mean it is a cool concept, but it is to much work.
-
@jaredbusch said in PiHole for Friends and Family:
I don't get the point of this. I mean it is a cool concept, but it is to much work.
What do you mean?
-
@jaredbusch said in PiHole for Friends and Family:
I don't get the point of this. I mean it is a cool concept, but it is to much work.
What's not to get? This is being used to limit who can access the cloud hosted Pi-hole server to only those whose DDNS domain (and ergo IP address) is listed. It makes the server DNS access non-public for those with dynamic IPs who are setup with a DDNS domain.
Do you have another recommendation for limiting server access for DNS services to a limited IP that is dynamically assigned by the ISP?
I agree it's been a lot of work for Romo who's kindly provided us with the script but in the absence of a better solution, this is extremely useful.
-
@nashbrydges said in PiHole for Friends and Family:
What's not to get? This is being used to limit who can access the cloud hosted Pi-hole server to only those whose DDNS domain (and ergo IP address) is listed. It makes the server DNS access non-public for those with dynamic IPs who are setup with a DDNS domain.
Do you have another recommendation for limiting server access for DNS services to a limited IP that is dynamically assigned by the ISP?
I agree it's been a lot of work for Romo who's kindly provided us with the script but in the absence of a better solution, this is extremely useful.
I am going to be using it to give my friends and family access to a bunch of services I run, DNS, Nextlcloud, etc. That's why I had @Romo have it allow all connections from one IP
-
The point is there is no point to the entire DNS for friends and family thing.
-
@jaredbusch said in PiHole for Friends and Family:
The point is there is no point to the entire DNS for friends and family thing.
This is not entirely true. If you're not an ass like JB, and you take care of your family's and friend's computers, this could save you a lot of headaches by preventing those family and friends from getting some infections/ads, etc. Of course, I am an like like JB I don't want to support more than I have to.. so I wouldn't bother outside my own home
-
Finally had some time to finish working on the Fedora based rules, I used firewall-cmds rich-rules in order to work with the default zone, I think it is the best way to handle it but I am open to suggestions.
Tested the script in Fedora Server 26, but I believe it should work properly on CentOS 7 and its default python version.
# Starting default fw config [root@localhost dns_to_ip_firewall_rules]$ firewall-cmd --list-all FedoraServer (active) target: default icmp-block-inversion: no interfaces: ens3 sources: services: ssh dhcpv6-client cockpit ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: #Fedora 26 uses by default Python 3 so using it to run the script [root@localhost dns_to_ip_firewall_rules]$ python3 dns-to-ip-firewall-rules.py # Script is set to reload the firewall to make the rules permanent, checking the new rules [root@localhost dns_to_ip_firewall_rules]# firewall-cmd --list-all FedoraServer (active) target: default icmp-block-inversion: no interfaces: ens3 sources: services: ssh dhcpv6-client cockpit ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: rule family="ipv4" source address="151.101.1.52/32" accept rule family="ipv4" source address="50.31.169.131/32" accept rule family="ipv4" source address="216.58.193.206/32" port port="22" protocol="tcp" accept rule family="ipv4" source address="216.58.193.206/32" port port="53" protocol="udp" accept rule family="ipv4" source address="104.25.47.32/32" port port="443" protocol="tcp" accept rule family="ipv4" source address="93.184.216.34/32" port port="53" protocol="udp" accept rule family="ipv4" source address="93.184.216.34/32" port port="80" protocol="tcp" accept rule family="ipv4" source address="93.184.216.34/32" port port="22" protocol="udp" accept rule family="ipv4" source address="216.58.193.206/32" port port="22" protocol="udp" accept rule family="ipv4" source address="104.25.47.32/32" port port="53" protocol="tcp" accept rule family="ipv4" source address="216.58.193.206/32" port port="80" protocol="tcp" accept rule family="ipv4" source address="93.184.216.34/32" port port="22" protocol="tcp" accept rule family="ipv4" source address="104.25.47.32/32" port port="53" protocol="udp" accept # Rerunning script to check for new ips [root@localhost dns_to_ip_firewall_rules]$ python3 dns-to-ip-firewall-rules.py # Checking to see the new ip correctly set in the firewall [root@localhost dns_to_ip_firewall_rules]$ firewall-cmd --list-all FedoraServer (active) target: default icmp-block-inversion: no interfaces: ens3 sources: services: ssh dhcpv6-client cockpit ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: rule family="ipv4" source address="151.101.1.52/32" accept rule family="ipv4" source address="50.31.169.131/32" accept rule family="ipv4" source address="216.58.193.206/32" port port="22" protocol="tcp" accept rule family="ipv4" source address="216.58.193.206/32" port port="53" protocol="udp" accept rule family="ipv4" source address="104.25.47.32/32" port port="443" protocol="tcp" accept rule family="ipv4" source address="93.184.216.34/32" port port="53" protocol="udp" accept rule family="ipv4" source address="93.184.216.34/32" port port="80" protocol="tcp" accept rule family="ipv4" source address="93.184.216.34/32" port port="22" protocol="udp" accept rule family="ipv4" source address="216.58.193.206/32" port port="22" protocol="udp" accept rule family="ipv4" source address="104.25.47.32/32" port port="53" protocol="tcp" accept rule family="ipv4" source address="216.58.193.206/32" port port="80" protocol="tcp" accept rule family="ipv4" source address="93.184.216.34/32" port port="22" protocol="tcp" accept rule family="ipv4" source address="104.25.47.32/32" port port="53" protocol="udp" accept rule family="ipv4" source address="151.101.65.52/32" accept
It appears to be working, haven't tested it too much but the configs seem to show what they must.
Current version tested in on branch firewalld-rules if any one else wants to test it.
-
By the way is there a way in firewall-cmd to clear the rules in one pass, basically the equivalent of ubuntus
ufw reset
? -
@romo not sure. Maybe @scottalanmiller knows?
-
I haven't tried it myself but this command Load zone default settings or report NO_DEFAULTS error.
I got it from the firewall-cmd man pagefirewall-cmd --permanent --load-zone-defaults=zone
-
@black3dynamite said in PiHole for Friends and Family:
I haven't tried it myself but this command Load zone default settings or report NO_DEFAULTS error.
I got it from the firewall-cmd man pagefirewall-cmd --permanent --load-zone-defaults=zone
That did it, thanks @black3dynamite
-
Had to add .5 second delay between rule creation because rules with ports were not getting added properly.
-
Old rules were not getting removed properly because of a 'copy/paste' error, it is fixed now.
Really love:
firewall-cmd --permanent --load-zone-defaults=zone
-
@Romo Are you still maintaining this?
-