On 11/6/2017 9:29 PM, trondd wrote:
On Mon, November 6, 2017 8:50 pm, Scott Bennett wrote:pass quick proto { tcp, udp } to port $udp_portsBecause you're telling pf to pass all taffic on port domain to anywhere. Quick rules stop evaluation and you never hit the rdr-to rules below.
Oh, duh. I thought it had to be something minor that I wasn't seeing.
# Redirect DNS Queries pass in on $wifi proto { udp, tcp } from any to any port domain \ rdr-to $wifi_ip port domain label "dns-redirect" pass in on $wired proto { udp, tcp } from any to any port domain \ rdr-to $wired_ip port domain label "dns-redirect"What is on your LAN that isn't using your DHCP settings for DNS? Why redirect instead of just blocking DNS from the LAN to all but unbound?
I want to be able to enforce that all queries get funneled to OpenDNS. I don't want someone to be able to outsmart the filter, at least at this one level. Redirection lets me configure the laptops to have their own hard-coded configurations when out and about, and then when I come home they transparently query the gateway with no changes. Blocking would probably result in me trying to load a page when I get home, failing, then remembering to change the DNS config.
