Tom, worked perfectly.
I was able to block Google DNS requests and ALSO redirect some DNS
resolutions for other external servers to my local Bind DNS Server (to, via
logs, get logged ALL DNS resolutions). Perfect !
Thanks a lot.
# ---
NONAT loc $DNS_TO_BLOCK udp domain
NONAT loc $DNS_TO_BLOCK tcp domain
#
REJECT:info loc net:$DNS_TO_BLOCK tcp domain
REJECT:info loc net:$DNS_TO_BLOCK udp domain
#
REDIRECT:info loc $BIND_ALT_PORT udp domain
REDIRECT:info loc $BIND_ALT_PORT tcp domain
# ---
Some info: part of above solution (REDIRECT) is to improve CDN
geolocalization (DNS based) since using Google DNS (and others public DNS
servers) break this, especially in countries that don't have 8.8.8.8 server
deployed locally using anycast.
--Guilsson
On Wed, Feb 22, 2017 at 3:40 PM, Tom Eastep <[email protected]> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On 02/22/2017 10:24 AM, Tom Eastep wrote:
> > On 02/21/2017 03:16 AM, Guilsson . wrote:
> >
> >> Anyway, my question is not about dhcp and/or dns stuff. It's
> >> about making the REJECT rules take precedence over REDIRECT
> >> rules.
> >
> >
> > You can't. But what you can do is add these rules before all the
> > rest:
> >
> > NONAT loc net:8.8.8.8,8.8.4.4 udp domain NONAT loc
> > net:8.8.8.8,8.8.4.4 tcp domain
> >
> > That will prevent the REDIRECT rule from rewriting the destination
> > address in the packets that you want to reject.
> >
> > Note that the above rules both generate a warning which you can
> > ignore.
> >
>
> You can eliminate the warnings by omitting 'net:' from the rules.
>
> NONAT loc 8.8.8.8,8.8.4.4 udp domain
> NONAT loc 8.8.8.8,8.8.4.4 tcp domain
>
> - -Tom
> - --
> Tom Eastep \ When I die, I want to go like my Grandfather who
> Shoreline, \ died peacefully in his sleep. Not screaming like
> Washington, USA \ all of the passengers in his car
> http://shorewall.net \________________________________________________
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCAAGBQJYrdsjAAoJEJbms/JCOk0QRhIP/i/gCt1x773f1LS4h5l+j+Mf
> HGOVrbrOHLBTTJFyD3GxCb+LXZHo8fUlLjk8te7tYhc2CfDlJ/mf5pRIfw3w39Nd
> waQJmI11qL/Gdmmg/jqR/TFAbX7N8wCyMPYp7idzVE0ZU1YY6rRZLlEL1N55nkP/
> exBmf94rdIdvgKu042d4t7EhF/6owv32QABzL5Ueh5YuUOxo0PFG1baF9LCqJXvZ
> gt47rE8lVtM70btL2jEAqLC9FghP3dmeJwAClWu6kiTNZkmGygOYB6WzucUmcbMd
> K6m7Y5zRAIsuChG5u1tMz7XxgmoFp0FGzhEkL/HfOPYylXtNRbMtMpi9Y6rziptM
> QAxWTKLMc0UOOraQJw/+g4Fn0XZ+q37j/2R4z7hyaF3R2UditLFBHn6KCPPmH+UA
> Cmh/K1XDtzd4CflI607WKo+YsxnU5JtlbvoBHZdVvxlNcuM6UGqoYLPCeOftQ8LB
> you9QTjMmBjioEDQMBixOC2RvB/pbgt4CTtikTxRbHJl4MZ6gfMYgtAhDMOXW16e
> WEEIZAcs4U7P53QpyJW3GEZP7nRSXm6rmi44PP5wd27Hh8ve6Ee/edytC/hY4w0m
> dxAYj1+GPda3tOQHd3DmU8K9Ymg7INHyzpfW4RR6dUeBl1Q1kegCAwKOdACnsSU1
> +NjQA9D14Rp6jXuCB37b
> =NdEG
> -----END PGP SIGNATURE-----
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Shorewall-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
