PiHole for Friends and Family
-
The point is there is no point to the entire DNS for friends and family thing.
-
@jaredbusch said in PiHole for Friends and Family:
The point is there is no point to the entire DNS for friends and family thing.
This is not entirely true. If you're not an ass like JB, and you take care of your family's and friend's computers, this could save you a lot of headaches by preventing those family and friends from getting some infections/ads, etc. Of course, I am an like like JB I don't want to support more than I have to.. so I wouldn't bother outside my own home
-
Finally had some time to finish working on the Fedora based rules, I used firewall-cmds rich-rules in order to work with the default zone, I think it is the best way to handle it but I am open to suggestions.
Tested the script in Fedora Server 26, but I believe it should work properly on CentOS 7 and its default python version.
# Starting default fw config [root@localhost dns_to_ip_firewall_rules]$ firewall-cmd --list-all FedoraServer (active) target: default icmp-block-inversion: no interfaces: ens3 sources: services: ssh dhcpv6-client cockpit ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: #Fedora 26 uses by default Python 3 so using it to run the script [root@localhost dns_to_ip_firewall_rules]$ python3 dns-to-ip-firewall-rules.py # Script is set to reload the firewall to make the rules permanent, checking the new rules [root@localhost dns_to_ip_firewall_rules]# firewall-cmd --list-all FedoraServer (active) target: default icmp-block-inversion: no interfaces: ens3 sources: services: ssh dhcpv6-client cockpit ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: rule family="ipv4" source address="151.101.1.52/32" accept rule family="ipv4" source address="50.31.169.131/32" accept rule family="ipv4" source address="216.58.193.206/32" port port="22" protocol="tcp" accept rule family="ipv4" source address="216.58.193.206/32" port port="53" protocol="udp" accept rule family="ipv4" source address="104.25.47.32/32" port port="443" protocol="tcp" accept rule family="ipv4" source address="93.184.216.34/32" port port="53" protocol="udp" accept rule family="ipv4" source address="93.184.216.34/32" port port="80" protocol="tcp" accept rule family="ipv4" source address="93.184.216.34/32" port port="22" protocol="udp" accept rule family="ipv4" source address="216.58.193.206/32" port port="22" protocol="udp" accept rule family="ipv4" source address="104.25.47.32/32" port port="53" protocol="tcp" accept rule family="ipv4" source address="216.58.193.206/32" port port="80" protocol="tcp" accept rule family="ipv4" source address="93.184.216.34/32" port port="22" protocol="tcp" accept rule family="ipv4" source address="104.25.47.32/32" port port="53" protocol="udp" accept # Rerunning script to check for new ips [root@localhost dns_to_ip_firewall_rules]$ python3 dns-to-ip-firewall-rules.py # Checking to see the new ip correctly set in the firewall [root@localhost dns_to_ip_firewall_rules]$ firewall-cmd --list-all FedoraServer (active) target: default icmp-block-inversion: no interfaces: ens3 sources: services: ssh dhcpv6-client cockpit ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: rule family="ipv4" source address="151.101.1.52/32" accept rule family="ipv4" source address="50.31.169.131/32" accept rule family="ipv4" source address="216.58.193.206/32" port port="22" protocol="tcp" accept rule family="ipv4" source address="216.58.193.206/32" port port="53" protocol="udp" accept rule family="ipv4" source address="104.25.47.32/32" port port="443" protocol="tcp" accept rule family="ipv4" source address="93.184.216.34/32" port port="53" protocol="udp" accept rule family="ipv4" source address="93.184.216.34/32" port port="80" protocol="tcp" accept rule family="ipv4" source address="93.184.216.34/32" port port="22" protocol="udp" accept rule family="ipv4" source address="216.58.193.206/32" port port="22" protocol="udp" accept rule family="ipv4" source address="104.25.47.32/32" port port="53" protocol="tcp" accept rule family="ipv4" source address="216.58.193.206/32" port port="80" protocol="tcp" accept rule family="ipv4" source address="93.184.216.34/32" port port="22" protocol="tcp" accept rule family="ipv4" source address="104.25.47.32/32" port port="53" protocol="udp" accept rule family="ipv4" source address="151.101.65.52/32" accept
It appears to be working, haven't tested it too much but the configs seem to show what they must.
Current version tested in on branch firewalld-rules if any one else wants to test it.
-
By the way is there a way in firewall-cmd to clear the rules in one pass, basically the equivalent of ubuntus
ufw reset
? -
@romo not sure. Maybe @scottalanmiller knows?
-
I haven't tried it myself but this command Load zone default settings or report NO_DEFAULTS error.
I got it from the firewall-cmd man pagefirewall-cmd --permanent --load-zone-defaults=zone
-
@black3dynamite said in PiHole for Friends and Family:
I haven't tried it myself but this command Load zone default settings or report NO_DEFAULTS error.
I got it from the firewall-cmd man pagefirewall-cmd --permanent --load-zone-defaults=zone
That did it, thanks @black3dynamite
-
Had to add .5 second delay between rule creation because rules with ports were not getting added properly.
-
Old rules were not getting removed properly because of a 'copy/paste' error, it is fixed now.
Really love:
firewall-cmd --permanent --load-zone-defaults=zone
-
@Romo Are you still maintaining this?
-