ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    PiHole for Friends and Family

    Scheduled Pinned Locked Moved IT Discussion
    67 Posts 14 Posters 11.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      Alex Sage @NashBrydges
      last edited by

      @nashbrydges said in PiHole for Friends and Family:

      What's not to get? This is being used to limit who can access the cloud hosted Pi-hole server to only those whose DDNS domain (and ergo IP address) is listed. It makes the server DNS access non-public for those with dynamic IPs who are setup with a DDNS domain.

      Do you have another recommendation for limiting server access for DNS services to a limited IP that is dynamically assigned by the ISP?

      I agree it's been a lot of work for Romo who's kindly provided us with the script but in the absence of a better solution, this is extremely useful.

      I am going to be using it to give my friends and family access to a bunch of services I run, DNS, Nextlcloud, etc. That's why I had @Romo have it allow all connections from one IP 😉

      1 Reply Last reply Reply Quote 0
      • JaredBuschJ
        JaredBusch
        last edited by

        The point is there is no point to the entire DNS for friends and family thing.

        DashrenderD 1 Reply Last reply Reply Quote 0
        • DashrenderD
          Dashrender @JaredBusch
          last edited by

          @jaredbusch said in PiHole for Friends and Family:

          The point is there is no point to the entire DNS for friends and family thing.

          This is not entirely true. If you're not an ass like JB, and you take care of your family's and friend's computers, this could save you a lot of headaches by preventing those family and friends from getting some infections/ads, etc. Of course, I am an like like JB I don't want to support more than I have to.. so I wouldn't bother outside my own home 😉

          1 Reply Last reply Reply Quote 1
          • RomoR
            Romo
            last edited by

            Finally had some time to finish working on the Fedora based rules, I used firewall-cmds rich-rules in order to work with the default zone, I think it is the best way to handle it but I am open to suggestions.

            Tested the script in Fedora Server 26, but I believe it should work properly on CentOS 7 and its default python version.

            # Starting default fw config
[root@localhost dns_to_ip_firewall_rules]$ firewall-cmd --list-all
FedoraServer (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens3
  sources: 
  services: ssh dhcpv6-client cockpit
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

#Fedora 26 uses by default Python 3 so using it to run the script
[root@localhost dns_to_ip_firewall_rules]$ python3 dns-to-ip-firewall-rules.py 

# Script is set to reload the firewall to make the rules permanent, checking the new rules
[root@localhost dns_to_ip_firewall_rules]# firewall-cmd --list-all
FedoraServer (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens3
  sources: 
  services: ssh dhcpv6-client cockpit
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	rule family="ipv4" source address="151.101.1.52/32" accept
	rule family="ipv4" source address="50.31.169.131/32" accept
	rule family="ipv4" source address="216.58.193.206/32" port port="22" protocol="tcp" accept
	rule family="ipv4" source address="216.58.193.206/32" port port="53" protocol="udp" accept
	rule family="ipv4" source address="104.25.47.32/32" port port="443" protocol="tcp" accept
	rule family="ipv4" source address="93.184.216.34/32" port port="53" protocol="udp" accept
	rule family="ipv4" source address="93.184.216.34/32" port port="80" protocol="tcp" accept
	rule family="ipv4" source address="93.184.216.34/32" port port="22" protocol="udp" accept
	rule family="ipv4" source address="216.58.193.206/32" port port="22" protocol="udp" accept
	rule family="ipv4" source address="104.25.47.32/32" port port="53" protocol="tcp" accept
	rule family="ipv4" source address="216.58.193.206/32" port port="80" protocol="tcp" accept
	rule family="ipv4" source address="93.184.216.34/32" port port="22" protocol="tcp" accept
	rule family="ipv4" source address="104.25.47.32/32" port port="53" protocol="udp" accept

# Rerunning script to check for new ips
[root@localhost dns_to_ip_firewall_rules]$ python3 dns-to-ip-firewall-rules.py 

# Checking to see the new ip correctly set in the firewall 
[root@localhost dns_to_ip_firewall_rules]$ firewall-cmd --list-all
FedoraServer (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens3
  sources: 
  services: ssh dhcpv6-client cockpit
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	rule family="ipv4" source address="151.101.1.52/32" accept
	rule family="ipv4" source address="50.31.169.131/32" accept
	rule family="ipv4" source address="216.58.193.206/32" port port="22" protocol="tcp" accept
	rule family="ipv4" source address="216.58.193.206/32" port port="53" protocol="udp" accept
	rule family="ipv4" source address="104.25.47.32/32" port port="443" protocol="tcp" accept
	rule family="ipv4" source address="93.184.216.34/32" port port="53" protocol="udp" accept
	rule family="ipv4" source address="93.184.216.34/32" port port="80" protocol="tcp" accept
	rule family="ipv4" source address="93.184.216.34/32" port port="22" protocol="udp" accept
	rule family="ipv4" source address="216.58.193.206/32" port port="22" protocol="udp" accept
	rule family="ipv4" source address="104.25.47.32/32" port port="53" protocol="tcp" accept
	rule family="ipv4" source address="216.58.193.206/32" port port="80" protocol="tcp" accept
	rule family="ipv4" source address="93.184.216.34/32" port port="22" protocol="tcp" accept
	rule family="ipv4" source address="104.25.47.32/32" port port="53" protocol="udp" accept
	rule family="ipv4" source address="151.101.65.52/32" accept

            It appears to be working, haven't tested it too much but the configs seem to show what they must.

            Current version tested in on branch firewalld-rules if any one else wants to test it.

            1 Reply Last reply Reply Quote 0
            • RomoR
              Romo
              last edited by

              By the way is there a way in firewall-cmd to clear the rules in one pass, basically the equivalent of ubuntus ufw reset?

              A black3dynamiteB 2 Replies Last reply Reply Quote 0
              • A
                Alex Sage @Romo
                last edited by

                @romo not sure. Maybe @scottalanmiller knows?

                1 Reply Last reply Reply Quote 0
                • black3dynamiteB
                  black3dynamite @Romo
                  last edited by

                  @romo

                  I haven't tried it myself but this command Load zone default settings or report NO_DEFAULTS error.
                  I got it from the firewall-cmd man page

                  firewall-cmd --permanent --load-zone-defaults=zone
                  RomoR 1 Reply Last reply Reply Quote 0
                  • RomoR
                    Romo @black3dynamite
                    last edited by

                    @black3dynamite said in PiHole for Friends and Family:

                    @romo

                    I haven't tried it myself but this command Load zone default settings or report NO_DEFAULTS error.
                    I got it from the firewall-cmd man page

                    firewall-cmd --permanent --load-zone-defaults=zone

                    That did it, thanks @black3dynamite

                    1 Reply Last reply Reply Quote 0
                    • RomoR
                      Romo
                      last edited by

                      Had to add .5 second delay between rule creation because rules with ports were not getting added properly.

                      1 Reply Last reply Reply Quote 0
                      • RomoR
                        Romo
                        last edited by

                        Old rules were not getting removed properly because of a 'copy/paste' error, it is fixed now.

                        Really love:

                        firewall-cmd --permanent --load-zone-defaults=zone
                        C 1 Reply Last reply Reply Quote 0
                        • C
                          Curtis @Romo
                          last edited by

                          @Romo Are you still maintaining this?

                          scottalanmillerS 1 Reply Last reply Reply Quote 0
                          • scottalanmillerS
                            scottalanmiller @Curtis
                            last edited by

                            @Curtis said in PiHole for Friends and Family:

                            @Romo Are you still maintaining this?

                            He is.

                            1 Reply Last reply Reply Quote 0
                            • 1
                            • 2
                            • 3
                            • 4
                            • 4 / 4
                            • First post
                              Last post